The web is growing up and getting faster and more secure. Making that the default is hard to achieve when you have to be backwards compatible, and some of the stuff we built 10 years ago is now a serious security liability. The answer: headers. Lots of headers.
JS Fest 2019. Andrew Betts. Headers for hackersJSFestUA
HTTP has been gradually adding lots of new and exotic headers, and more are on the way. Learn about current best practices with Vary, Link, Content-Security-Policy, Referrer-Policy, Client-Hints, Clear-Site-Data and Alt-Svc, upcoming features such as Feature-Policy and proposals like Variants, Early-Hints and Origin-Policy. HTTP gives you incredibly powerful control over many aspects of the way a browser will process the page and is often a more effective or more secure option than trying to achieve the same effect with tags or script in the page.
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity (http://www.w3.org/TR/SRI/). Both Firefox and Chrome have initial implementations of this new specification and a few early adopters such as Github are currently evaluating this feature.
In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up (e.g. Referrer Policy, Subresource Integrity).
As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2016. In addition to that, the non-profit behind Firefox is experimenting with new ways to protect its users, building on Google's Safe Browsing technology to defend users against tracking.
This talk will introduce developers to the security features of the web platform they can use today and show end-users how they can harden their Firefox browser.
https://www.linuxfestnorthwest.org/2016/sessions/security-and-privacy-web-2016
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was updated and presented at the FSEC conference in Croatia, September 2017.
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was presented at the OWASP Belgium Chapter Meeting in May 2017.
JS Fest 2019. Andrew Betts. Headers for hackersJSFestUA
HTTP has been gradually adding lots of new and exotic headers, and more are on the way. Learn about current best practices with Vary, Link, Content-Security-Policy, Referrer-Policy, Client-Hints, Clear-Site-Data and Alt-Svc, upcoming features such as Feature-Policy and proposals like Variants, Early-Hints and Origin-Policy. HTTP gives you incredibly powerful control over many aspects of the way a browser will process the page and is often a more effective or more secure option than trying to achieve the same effect with tags or script in the page.
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity (http://www.w3.org/TR/SRI/). Both Firefox and Chrome have initial implementations of this new specification and a few early adopters such as Github are currently evaluating this feature.
In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up (e.g. Referrer Policy, Subresource Integrity).
As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2016. In addition to that, the non-profit behind Firefox is experimenting with new ways to protect its users, building on Google's Safe Browsing technology to defend users against tracking.
This talk will introduce developers to the security features of the web platform they can use today and show end-users how they can harden their Firefox browser.
https://www.linuxfestnorthwest.org/2016/sessions/security-and-privacy-web-2016
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was updated and presented at the FSEC conference in Croatia, September 2017.
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was presented at the OWASP Belgium Chapter Meeting in May 2017.
In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up this year (e.g. Referrer Policy, Subresource Integrity). In addition to getting familiar with these, a number of recent high-profile bugs in the SSL/TLS protocol and implementations have forced developers to learn more about TLS ciphers and to start worrying about mixed content on their pages.
As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2015. This talk will give an overview of the security and privacy landscape on the web as well as pointers to what developers need to know to secure their applications.
https://2015.rmll.info/security-and-privacy-on-the-web-in-2015?lang=en
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe.
The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default.
In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more.
AGENDA
What is the MongoDB ransom hack?
What other security threats are valid for MongoDB?
How to enable authentication / authorisation
How to secure MongoDB from ransomware
How to scan your system
ClusterControl MongoDB security advisors
Live Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
WSO2Con USA 2015: Securing your APIs: Patterns and MoreWSO2
Businesses today are rapidly moving from being service enabled to being API enabled. Moving into the world of APIs brings with it its own set of complexities and challenges that are tough to tackle. API security, performance, scalability, monitoring and notifications are key areas to be focusing your engineering efforts on. The WSO2 Carbon platform is a complete open source enterprise middleware platform which includes products catering to your various different enterprise needs.
This talk will focus on leveraging the extensive feature set and extensible nature of the WSO2 platform to secure, monitor and monetize your APIs. It will also touch upon some of WSO2’s experiences with customers in building API ecosystems that suit modern day enterprises.
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
See http://blog.gruden.com/category/js-security for more info.
A walk through real-world web site vulnerabilities - Mark shows step by step how vulnerable web sites can be exploited to trigger annoying pop up windows to more sinister attacks involving session stealing and rewriting page content. Learn how to test for and protect against these increasingly common attacks.
- http://www.webdu.com.au/session/be-afraid--be-very-afraid--javascript-security-xss-and-csrf
In this talk, we'll break down how one can exploit an ecosystem that enables management, querying, processing, and storage of, yes you guessed it, copious amounts of data. Hadoop and its many friends have been making their way into companies analyzing (sometimes, after massively collecting...) such data for years now, but they also make it easy to find organizations deploying things internally with security either off by default or otherwise exposed to various critical misconfigurations and access control issues.
If you're running engagements, this should also give you a headstart on what to look for, how to attack networks where these products are running along with a few good ways to make them more defendable. Because if you want to defend well, you need to optimize towards mitigating actual risk vs theoretical, and there's no better way to determine if attacks are real than trying them out yourself. Let's say you just want to better understand how to shell out on servers running Apache Cassandra, Drill, Mesos... well, it may add a few pages to your playbook.
(FYI this is the version of the slides without a conference template-- hopefully NoConName will share the templated version online as well)
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
Content Security Policies (CSP) are an additional layer of security that you can add to your websites to protect your users from XSS attacks, but it is only used by about 2% of the Internet. This presentation was given at WordCamp Europe 2018 and explains the threats posted to website visitors, how CSPs can help, and how they work. #wceu
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
Content Security Policies (CSP) are an additional layer of security that you can add to your websites to protect your users from XSS attacks, but it is only used by about 2% of the Internet. This presentation was given at WordCamp Europe 2018 and explains the threats posted to website visitors, how CSPs can help, and how they work. #wceu
In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up this year (e.g. Referrer Policy, Subresource Integrity). In addition to getting familiar with these, a number of recent high-profile bugs in the SSL/TLS protocol and implementations have forced developers to learn more about TLS ciphers and to start worrying about mixed content on their pages.
As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2015. This talk will give an overview of the security and privacy landscape on the web as well as pointers to what developers need to know to secure their applications.
https://2015.rmll.info/security-and-privacy-on-the-web-in-2015?lang=en
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe.
The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default.
In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more.
AGENDA
What is the MongoDB ransom hack?
What other security threats are valid for MongoDB?
How to enable authentication / authorisation
How to secure MongoDB from ransomware
How to scan your system
ClusterControl MongoDB security advisors
Live Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
WSO2Con USA 2015: Securing your APIs: Patterns and MoreWSO2
Businesses today are rapidly moving from being service enabled to being API enabled. Moving into the world of APIs brings with it its own set of complexities and challenges that are tough to tackle. API security, performance, scalability, monitoring and notifications are key areas to be focusing your engineering efforts on. The WSO2 Carbon platform is a complete open source enterprise middleware platform which includes products catering to your various different enterprise needs.
This talk will focus on leveraging the extensive feature set and extensible nature of the WSO2 platform to secure, monitor and monetize your APIs. It will also touch upon some of WSO2’s experiences with customers in building API ecosystems that suit modern day enterprises.
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
See http://blog.gruden.com/category/js-security for more info.
A walk through real-world web site vulnerabilities - Mark shows step by step how vulnerable web sites can be exploited to trigger annoying pop up windows to more sinister attacks involving session stealing and rewriting page content. Learn how to test for and protect against these increasingly common attacks.
- http://www.webdu.com.au/session/be-afraid--be-very-afraid--javascript-security-xss-and-csrf
In this talk, we'll break down how one can exploit an ecosystem that enables management, querying, processing, and storage of, yes you guessed it, copious amounts of data. Hadoop and its many friends have been making their way into companies analyzing (sometimes, after massively collecting...) such data for years now, but they also make it easy to find organizations deploying things internally with security either off by default or otherwise exposed to various critical misconfigurations and access control issues.
If you're running engagements, this should also give you a headstart on what to look for, how to attack networks where these products are running along with a few good ways to make them more defendable. Because if you want to defend well, you need to optimize towards mitigating actual risk vs theoretical, and there's no better way to determine if attacks are real than trying them out yourself. Let's say you just want to better understand how to shell out on servers running Apache Cassandra, Drill, Mesos... well, it may add a few pages to your playbook.
(FYI this is the version of the slides without a conference template-- hopefully NoConName will share the templated version online as well)
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
Content Security Policies (CSP) are an additional layer of security that you can add to your websites to protect your users from XSS attacks, but it is only used by about 2% of the Internet. This presentation was given at WordCamp Europe 2018 and explains the threats posted to website visitors, how CSPs can help, and how they work. #wceu
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
Content Security Policies (CSP) are an additional layer of security that you can add to your websites to protect your users from XSS attacks, but it is only used by about 2% of the Internet. This presentation was given at WordCamp Europe 2018 and explains the threats posted to website visitors, how CSPs can help, and how they work. #wceu
The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
Use Monitoring, Logs, and Analytics Tools to Measure CDN and Site Performance...Amazon Web Services
In this session, use metrics and logs from Amazon CloudFront, and tools such as Amazon CloudWatch and third-party performance measurement tools, to measure and improve your web and mobile performance.
NYC WebPerf Meetup Feb 2020 - Measuring the Adoption of Web Performance Techn...Paul Calvano
Performance optimization is a cyclical process. We are constantly learning new ways to optimize, while simultaneously adopting new technologies and techniques that negatively impact performance. The HTTP Archive provides a great historical record of the technical side of the web, with almost 10 years of history and an ever growing dataset of sites.
During this session Paul will provide a brief overview of the HTTP Archive and then dive into some insights into the adoption of common web performance techniques and some of their measurable impacts.
Estes slides fazem parte da minha apresentação na conferência Confraria0day em Marçod de 2017. É uma introdução aos vários cabeçalhos de segurança HTTP. Cobre HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy e Set-Cookie options.
The presentation is devoted to network and tips of improving Web Performance. Further presentations will dwell on more practical aspects of web applications performance improvement. All 4 presentations will help you reduce latency, enrich optimization of javascript code, discover tricky parts when working with API browser, see best practices of networking and learn lots of other important and interesting things. Enjoy! =)
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
Log data contains some of the most valuable raw information you can gather and analyze about your infrastructure and applications. Amid the mess of confusing lines of seemingly random text can be hints about performance, security, flaws in code, user access patterns, and other operational data. Without the proper tools, finding insights in these logs can be like searching for a hay-colored needle in a haystack. In this session you learn what practices and patterns you can easily implement that can help you better understand your log files. You see how you can customize web logs to add more information to them, how to digest logs from around your infrastructure, and how to analyze your log files in near real time.
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
How a new HTTP response header can help increase the depth of your web application defenses.
Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.
Yahoo has developed the de facto standard for building fast front-ends for websites. The bad news: you have to follow 34 rules to get there. The good news: I'll take a subset of those rules, explain them, and show how you can implement those rules in an automated fashion to minimize impact on developers and designers for your high-traffic website.
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)cgmonroe
This is an updated version of this talk given at DrupalCamp Atlanta (DCA)
This presentation is an overview / case study of things learned by experiencing GDPR Security audits, DoS attacks, brute force login attacks, annoying robot crawlers, and hackers doing security probes.
The session will cover the following main topics with tips on how to protected against each of these.
An overview of security threats
Server Level Attacks
Code Level Attacks
User Access Attacks
Internal Attacks
Some suggestions on developing a security plan
People attending should come away with useful knowledge (modules, best practices, sites that help, front end tools and the like) that will help secure their sites.
RFC 7540 was ratified over 2 years ago and, today, all major browsers, servers, and CDNs support the next generation of HTTP. Just over a year ago, at Velocity, we discussed the protocol, looked at some real world implications of its deployment and use, and what realistic expectations we should have from its use. Now that adoption is ramped up and the protocol is being regularly used on the Internet, it's a good time to revisit the protocol and its deployment. Has it evolved? Have we learned anything? Are all the features providing the benefits we were expecting? What's next?In this session, we'll review protocol basics and try to answer some of these questions based on real-world use of it. We'll dig into the core features like interaction with TCP, server push, priorities and dependencies, and HPACK. We'll look at these features through the lens of experience and see if good practice patterns have emerged. We'll also review available tools and discuss what protocol enhancements are in the near and not-so-near horizon.
Altitude San Francisco 2018: Preparing for Video Streaming Events at ScaleFastly
CBS Interactive streams some of the largest video streaming events on the planet, including SuperBowl in 2019. This talk will focus on all the work that goes in ahead of time to prepare and plan for game day. From architecture design to capacity reservations to operational visibility and building playbooks we will explore how we build, test and prepare for these large events. We will also explore how some of Fastly's unique features such as MediaShield and VCL are becoming critical to these workflows.
Altitude San Francisco 2018: Building the Souther Hemisphere of the InternetFastly
As a global organization, Fastly carefully selects and deploys POP locations to service the greater audience of the Internet. Fastly currently has 52 global POPs across the Internet, 13 of which are located in the Southern Hemisphere. Another 3 are outside North America, Europe, and Asia. During this talk, VP of Infrastructure Tom Daly will share our experience in building Fastly's network of POPs south of the equator, where, in some cases, the Internet we know here in San Francisco, is much different. Tom will explore the physical datacenter infrastructure, network topology, and network policy that pose of unique challenges when operating in these parts of the world.
Altitude San Francisco 2018: The World Cup StreamFastly
FuboTV’s recent offering of the 2018 FIFA World Cup broke all of our previous records for viewership and put our systems to the test as we delivered all 64 matches live. Coverage for a majority of games was spread out across ~150 regional sports networks, local FOX affiliates, owned and operated regional stations and other local FOX offerings, with a few early matches broadcasted on national channels. Running a successful World Cup required us to pay close attention to our caching strategies, delivery mechanisms, content edge-case handling and more. An event at this scale, spread out over a month, also gave us an excellent test bed to run experiments. We were able to augment our last-mile delivery, test/tweak our solution for CDN decisioning/priority, and even stand up a set of UHD HDR10 feeds to give our users their first glimpse of live OTT UHD offerings. We’ll run through this whole event from a scale and technology perspective and share our takeaways as we prepare for the upcoming NFL season and beyond.
Altitude San Francisco 2018: Scale and Stability at the Edge with 1.4 Billion...Fastly
Braze is a customer engagement platform that delivers more than a billion messaging experiences across push, email, apps and more each day. In this session, Jon Hyman will describe the company's challenges during an inflection point in 2015 when the company reached the limitation of their physical networking equipment, and how Braze has since grown more than 7x on Fastly. Jon will also discuss how Braze uses Fastly's Layer 7 load balancing to improve stability and uptime of its APIs.
Altitude San Francisco 2018: Moving Off the Monolith: A Seamless MigrationFastly
In this talk, Jeff Valeo from Grubhub will talk about how they leveraged Fastly to slowly migrate user traffic from a legacy monolith to a new, service-based architecture. This solution allowed Grubhub to shift millions of users as new functionality was built with zero downtime.
Altitude San Francisco 2018: Bringing TLS to GitHub PagesFastly
Sam Kottler, SRE Engineering Manager at GitHub will dig into how they rearchitected Pages, so that custom domains now support HTTPS, meaning over a million GitHub Pages sites will be served over HTTPS.
Altitude San Francisco 2018: HTTP Invalidation WorkshopFastly
One of the most powerful tools that Fastly offers is worldwide, instant purge. Come learn the ins and outs of how HTTP invalidation works in general and how purge and surrogate keys can be used to improve your site's delivery and get even more value from Fastly.
This talk will also cover the purge blast radius
Surrogate Keys are an amazing way to purge your content from cache, but they can be a bit scary when you aren't sure how many URLs this surrogate key is tied to or what kind of affect this will have on origin. Join the USA Today Network as we explain how we leverage big data tools, Go APIs, New Relic, and Sumo Logic to provide our users a suite of tools for purging content from Fastly. Developers love knowing the blast radius of their surrogate keys, while our engineers love the real-time metrics and notifications we get when developers are hard-purging content.
Altitude San Francisco 2018: How Magento moved to the cloud while maintaining...Fastly
Magento Commerce was first released by a small web development agency over ten years when they saw first-hand what a challenge it was for companies like them to build unique eCommerce sites. They created an open source platform that gives developers the flexibility to create meaningful shopping experiences while building a global community that drives down merchant costs and fosters innovation. Amid the rise of cloud-based software Magento needed to keep pace with more complex merchant needs and heightened shopper expectations. In this session learn how Magento, with the help of Partners like Fastly, evolved into a cloud-based platform without sacrificing their commitment to open software, flexibility, and the community.
Altitude San Francisco 2018: Scaling Ethereum to 10B requests per dayFastly
ConsenSys is a venture production studio building decentralized applications and developer and end-user tools for blockchains. Their Infura platform is a core infrastructure pillar of Ethereum, enabling decentralized applications of all kinds to scale to accommodate their users.
Infura went from 20 million requests a day at the beginning of 2017 to over 10 billion requests today. This staggering 500x increase naturally lead to questions of scale.
In this talk, co-founder Michael Wuehler will discuss the technical challenges encountered while building and scaling the Infura platform, and the infrastructure decisions that led to their adoption of Fastly and other pivotal technologies.
Altitude San Francisco 2018: Authentication at the EdgeFastly
Turning away unwanted traffic close to the source is a common and key use case for edge networks like Fastly, but identity, authentication, and authorization at the edge can go far beyond blocking DDoS. The unique way that you identify your site’s users can probably move to the edge too, allowing you to cut response times in your critical path, offload more origin traffic, and make smarter routing decisions at the edge.
In this talk we’ll cover a number of patterns in use by real Fastly customers. Whether you prefer token authentication, pre-shared keys, OAuth, HTTP auth, JSON web tokens, or a complex paywall, learn how you can potentially make your authentication decisions at the edge.
Altitude San Francisco 2018: Testing with Fastly WorkshopFastly
A crucial step for continuous integration and continuous delivery with Fastly is testing the service configuration to provide confidence in changes. This workshop will cover unit-testing VCL, component testing a service as a black box, systems testing a service end-to-end and stakeholder acceptance testing.
Altitude San Francisco 2018: Fastly Purge Control at the USA TODAY NETWORKFastly
One of the most powerful tools that Fastly offers is worldwide, instant purge. Come learn the ins and outs of how HTTP invalidation works in general and how purge and surrogate keys can be used to improve your site's delivery and get even more value from Fastly.
This talk will also cover the purge blast radius
Surrogate Keys are an amazing way to purge your content from cache, but they can be a bit scary when you aren't sure how many URLs this surrogate key is tied to or what kind of affect this will have on origin. Join the USA Today Network as we explain how we leverage big data tools, Go APIs, New Relic, and Sumo Logic to provide our users a suite of tools for purging content from Fastly. Developers love knowing the blast radius of their surrogate keys, while our engineers love the real-time metrics and notifications we get when developers are hard-purging content.
In this hands-on workshop you will attack a vulnerable web application while defending your own web service behind a Fastly WAF. Attendees will depart understanding how common web application attacks can be exploited as well defended against. They will experience WAF logging and analytics via sumologic to detect attacks realtime. For mitigation you will use a preview version of our newly built WAF rule management UI. We will close off the workshop by deep diving on how our security team analyzed and mitigated some of this summer major vulnerabilities.
Altitude San Francisco 2018: Logging at the Edge Fastly
Fastly delivers more than a million log events per second. Our Real-Time Log Streaming is easy to set up, but there are many features you might not be using to their full extent.
This workshop will cover setting up logging to various endpoints, dealing with structured data, and getting real-time insights into your customers’ behavior.
Altitude San Francisco 2018: Video Workshop DocsFastly
Fastly delivers more than a million log events per second. Our Real-Time Log Streaming is easy to set up, but there are many features you might not be using to their full extent.
This workshop will cover setting up logging to various endpoints, dealing with structured data, and getting real-time insights into your customers’ behavior.
- - - - - - - - - - -
Live streaming and on-demand video can provide a powerful way to connect with customers, but viewers expect seamless pixel-perfect streams without common video delivery inconveniences, such as downtime or lags. This workshop will demonstrate how anyone can deliver live video at scale. We’ll thoroughly explain key video delivery optimizations and more importantly, demonstrate their efficacy using the data collected from both Fastly Log Streaming/Sumo Logic and the Mux quality of experience service.
Altitude San Francisco 2018: Programming the EdgeFastly
Programming the edge
Second floor
Andrew Betts
Principal Developer Advocate, Fastly
Hide abstract
Through our support for running your own code on our edge servers, Fastly's network offers you a platform of unparalleled speed, reliability and efficiency to which you can delegate a surprising amount of logic that has traditionally been in the application layer. In this workshop, you'll implement a series of advanced edge solutions, and learn how to apply these patterns to your own applications to reduce your origin load, dramatically improve performance, and make your applications more secure.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
7. • Alexa top 1,000,000 websites
• Around 500,000 pages analysed
• Over 50 million requests per run
• Captures full request and
response data, timing metrics
etc.
• Runs using WebPageTest
• Makes raw result data available
in BigQuery
11. P3P
Machine readable privacy policy
https://www.w3.org/TR/P3P11/
Domains sending
9.8%
Commonly set to
cp="this is not a p3p policy"
Standardised in
2002
12.
13. • Intended as a declaration of privacy policy
• Too hard for users to understand/use
• Only ever implemented by Internet Explorer, to gate access to third
party cookies in IFRAMEs.
– ... but not validated
• Commonly set to “this is not a P3P policy” which satisfies the check
Platform for Privacy Preferences Project?
https://bigquery.cloud.google.com/savedquery/598614557294:9c69db8c47f84c4d9a4b57668ac8ba58
14. Expires
Sets expiry time for local caching
https://tools.ietf.org/html/rfc7234#section-5.3
Domains sending
78%
Standardised in
1997
20. X-Cache
Records whether the page came from cache
upstream (probably)
Domains sending
13%
Standardised in
Never
Commonly set to
HIT
21. x-cache x-aspnet-version x-varnish x-request-
id x-cache-hits x-cacheable x-aspnetmvc-
version x-runtime x-generator x-drupal-cache
host referer x-served-by x-proxy-cache server
x-type x-cache-group x-cache-status x-accel-
version
Meaningless to the browser
All headers shown above are returned by at least 5,000 domains in the HTTP Archive dataset
https://bigquery.cloud.google.com/savedquery/598614557294:2463981d0f444b6ba6c1a8c376079b90
22. Outputting debug headers conditionally
if (!req.http.Reveal-Debug && !req.http.Cookie:RevealDebug) {
unset resp.http.Server;
unset resp.http.X-Powered-By;
unset resp.http.X-Cache;
// ... etc
}
Works in Fastly and Varnish cache
23. X-Frame-Options
Prohibits third party framing of your site
https://tools.ietf.org/html/rfc7034
Domains sending
22.7%
Standardised in
2013
Almost always set to
sameorigin
24. X-Frame-Options: SAMEORIGIN
Stop anyone from framing your site:
Content-Security-Policy: frame-ancestors 'self'
But... equivalent to...
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
25. Via
Lists proxies through which the request passes
https://httpwg.org/specs/rfc7230.html#header.via
Domains sending
8.7%
Standardised in
1997
32. Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src
userscripts.example.com
Simple CSP example:
By default, only allow access to the same origin as the page. But allow images to come from
anywhere. Media and scripts from a whitelist of specific origins.
37. What to send in referrals from this page
https://w3c.github.io/webappsec-referrer-policy/
Referrer-Policy
Domains sending
2.4%
Standardised in
2017
39. Link (preload)
Declare a resource that’s important early on
https://w3c.github.io/preload/#x2.link-type-preload
Domains sending
19.1%
Standardised in
2016
44. The status code problem
DNS
Lookup
TLS TTFB
Status code +
LINK headers
received
Database
Auth
Templating
API queries
45. Sends headers before status code
https://tools.ietf.org/html/draft-ietf-httpbis-early-hints-05
103 Early Hints
Domains sending
Unknown
Status
Proposed
46. HTTP/1.1 103 Early Hints
Link: <some-font-face.woff2>; rel="preload"; as="font"; crossorigin
Link: <main-styles.css>; rel="preload"; as="style"
HTTP/1.1 200 OK
Date: Fri, 26 May 2017 10:02:11 GMT
Content-Length: 1234
Content-Type: text/html; charset=utf-8
Link: <some-font-face.woff2>; rel="preload"; as="font"; crossorigin
Link: <main-styles.css>; rel="preload"; as="style"
<!doctype html>
Get your fonts and styles down even sharper:
47. Preloaded resources start preloading earlier
DNS
Lookup
TLS
Early hints +
Link headers
received
Real status
received
49. Feature-Policy: autoplay 'none'; speaker 'self'; unsized-media some3rdparty.com
Just turn off the bad stuff
No-one can
autoplay video on
this page
Only I can use the
speakers. No noisy
ads, thanks.
Images only take size
from their contents when
loaded from
some3rdparty.com
50. Feature-Policy: doc-write 'none'; sync-xhr 'none'; sync-resources 'none'
The future-future:
Bye bye
document.write.
No more
synchronous
XMLHTTPRequest
All JS and CSS is
deferrable
51.
52. Moves origin-wide headers into a file
https://wicg.github.io/origin-policy/
Sec-Origin-
Policy
Domains sending
0
Status
Proposed
53. $ telnet bank.example.com 80
GET /statement HTTP/1.1
Host: bank.example.com
HTTP/1.1 200 OK
Date: Tue, 27 Feb 2018 13:28:47 GMT
Content-Type: text/html
Content-Length: 34882
<html>
...