This talk from the 2010 OWASP AppSec DC talk of the same title is all about better, more evolved web application security testing utilizing automation!
This document discusses ADC Austin's M3 Modernization tool and process for modernizing legacy CA 2E environments. It provides an overview of the M3 methodology, which uses model-based migration to automate the modernization of the entire 2E model. A case study is presented on a customer migration project. The presentation concludes with a discussion of next steps organizations can take to evaluate and implement the M3 Modernization process.
Social Photos is an online social network for photographers and photo lovers. Users can take photos and share them on the network. Other users can like, dislike, or comment on photos. The network also integrates location-based features so photos can be listed near the location where they were taken. The social network is built using various Microsoft and non-Microsoft technologies integrated seamlessly. It uses technologies like Entity Framework, WCF data services, OData, and supports multiple client platforms like Windows Phone, Android, iOS, and web clients.
The Legacy System Migration Workbench (LSMW) is a tool for migrating data from legacy systems to SAP. It allows data to be transferred between non-SAP legacy systems and SAP either once or periodically. LSMW reduces the cost and time of migration while ensuring quality and consistency through import checks. It offers various data conversion techniques and generates conversion programs from rules to migrate data in a consistent manner with less programming required. The general process involves reading legacy data, converting it to the SAP format, and importing it using standard SAP interfaces.
HFM API Deep Dive – Making a Better Financial Management ClientCharles Beyer
While the Financial Management Client program that ships with HFM provides key functionality is quite reliable, there are many areas where it could be improved. Fortunately for us, the Financial Management Client is a great example of a program that implements the HFM COM API as many of the program’s features are directly attributable to API functions. Due to this fact, we can focus on adding value without having to completely reinvent the wheel.
This session, which builds off of a previous API presentation, will further walk you through a complete program build utilizing HFM COM API functionality and Microsoft Visual Studio .NET. Fully working code will be provided as well for viewers.
The document discusses plans for updating the OWASP Testing Guide to version 4. It provides background on the history and adoption of previous versions. Key points discussed include establishing a common vulnerability list, reviewing and updating test categories, and proposing a new project team. The roadmap includes adhering to a common numbering system, reviewing existing sections, removing unnecessary parts, and adding new testing techniques. The overall goal is to improve and expand the guide to continue helping security testers.
This document discusses security testing approaches for the OWASP Top 10 vulnerabilities. It argues that superficial security tests that only examine the user interface provide an illusion of knowledge and security. To fully understand risks, tests need to examine the entire application stack, including the backend, and consider vulnerabilities like security misconfiguration, missing access controls, and use of vulnerable components. Examples are given showing how vulnerabilities can remain undetected if the full scope of the application is not tested, including the code, configurations, dependencies and infrastructure. A holistic approach to security testing that incorporates reverse engineering is advocated to have a realistic understanding of risks.
OWASP has identified the top 10 security risks for web applications. How do we as testers look for these problems in our application? This presentation discusses some ideas.
Presentation that fellow Magenicon Zach Bergman and I did at the Twin Cities Quality Assurance Association meeting in January.
Owasp Eu Summit 2008 Owasp Testing Guide V3Matteo Meucci
This document provides an overview and agenda for the OWASP Testing Guide Version 3 project. It discusses the objectives to improve and update Version 2, creating a new complete project focused on web application penetration testing. It outlines the roadmap and timeline for the project from brainstorming to publishing. It highlights some of the new articles added and templates used. It also discusses future integration plans and calls for further participation and discussion.
This document discusses ADC Austin's M3 Modernization tool and process for modernizing legacy CA 2E environments. It provides an overview of the M3 methodology, which uses model-based migration to automate the modernization of the entire 2E model. A case study is presented on a customer migration project. The presentation concludes with a discussion of next steps organizations can take to evaluate and implement the M3 Modernization process.
Social Photos is an online social network for photographers and photo lovers. Users can take photos and share them on the network. Other users can like, dislike, or comment on photos. The network also integrates location-based features so photos can be listed near the location where they were taken. The social network is built using various Microsoft and non-Microsoft technologies integrated seamlessly. It uses technologies like Entity Framework, WCF data services, OData, and supports multiple client platforms like Windows Phone, Android, iOS, and web clients.
The Legacy System Migration Workbench (LSMW) is a tool for migrating data from legacy systems to SAP. It allows data to be transferred between non-SAP legacy systems and SAP either once or periodically. LSMW reduces the cost and time of migration while ensuring quality and consistency through import checks. It offers various data conversion techniques and generates conversion programs from rules to migrate data in a consistent manner with less programming required. The general process involves reading legacy data, converting it to the SAP format, and importing it using standard SAP interfaces.
HFM API Deep Dive – Making a Better Financial Management ClientCharles Beyer
While the Financial Management Client program that ships with HFM provides key functionality is quite reliable, there are many areas where it could be improved. Fortunately for us, the Financial Management Client is a great example of a program that implements the HFM COM API as many of the program’s features are directly attributable to API functions. Due to this fact, we can focus on adding value without having to completely reinvent the wheel.
This session, which builds off of a previous API presentation, will further walk you through a complete program build utilizing HFM COM API functionality and Microsoft Visual Studio .NET. Fully working code will be provided as well for viewers.
The document discusses plans for updating the OWASP Testing Guide to version 4. It provides background on the history and adoption of previous versions. Key points discussed include establishing a common vulnerability list, reviewing and updating test categories, and proposing a new project team. The roadmap includes adhering to a common numbering system, reviewing existing sections, removing unnecessary parts, and adding new testing techniques. The overall goal is to improve and expand the guide to continue helping security testers.
This document discusses security testing approaches for the OWASP Top 10 vulnerabilities. It argues that superficial security tests that only examine the user interface provide an illusion of knowledge and security. To fully understand risks, tests need to examine the entire application stack, including the backend, and consider vulnerabilities like security misconfiguration, missing access controls, and use of vulnerable components. Examples are given showing how vulnerabilities can remain undetected if the full scope of the application is not tested, including the code, configurations, dependencies and infrastructure. A holistic approach to security testing that incorporates reverse engineering is advocated to have a realistic understanding of risks.
OWASP has identified the top 10 security risks for web applications. How do we as testers look for these problems in our application? This presentation discusses some ideas.
Presentation that fellow Magenicon Zach Bergman and I did at the Twin Cities Quality Assurance Association meeting in January.
Owasp Eu Summit 2008 Owasp Testing Guide V3Matteo Meucci
This document provides an overview and agenda for the OWASP Testing Guide Version 3 project. It discusses the objectives to improve and update Version 2, creating a new complete project focused on web application penetration testing. It outlines the roadmap and timeline for the project from brainstorming to publishing. It highlights some of the new articles added and templates used. It also discusses future integration plans and calls for further participation and discussion.
Most software developers have heard about OWASP Top Ten, describing the 10 most critical security vulnerabilities that should be avoided in web applications.
However, in order to prevent them, developers must be aware of the proactive controls that should be incorporated from early stages of software development lifecycle.
This talk briefly discusses the OWASP Top Ten Proactive Controls and then maps them to the respective OWASP Vulnerabilities that each of them addresses.
The document discusses attacking HTML5. It begins with an introduction to HTML5 tags, attributes, and features like geolocation, drag and drop, and storage options. It then covers ways these features can be attacked, including stealing data from storage, spoofing data to cause CSRF or XSS, and dumping data from SQL storage. Specific attacks are demonstrated against cross-origin resource sharing, cross-document messaging, clickjacking, and exploiting new vulnerabilities with older attacks. The document concludes that while HTML5 provides new browser capabilities, attackers can find innovative ways to exploit these features maliciously.
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
Chuck Willis proposes a new OWASP project called the "OWASP Broken Web Applications Project" that would provide a virtual machine containing intentionally vulnerable web applications. The virtual machine would contain various vulnerable versions of applications like WebGoat, WordPress, and phpBB to allow testing of vulnerability scanning, code analysis, and other security tools. Willis is seeking help expanding and maintaining the project.
The document is a presentation on web application security given by Mohamed Ridha Chebbi. The presentation covers topics such as application insecurity, the top 10 risks in application security, addressing security problems through training and verification processes, different levels of application security standards, and protecting applications and data with infrastructure like web application firewalls and database firewalls.
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsMagno Logan
ZAP (Zed Attack Proxy) is an open source web application penetration testing tool that is easy to use, cross-platform, and has been downloaded over 6,300 times. It includes features like an intercepting proxy, active and passive scanners, a spider, and report generation that allow it to test web applications for vulnerabilities. ZAP has an active international development community, is improving rapidly with new releases, and has the potential to introduce more people to application security best practices.
Presented at #PHPLX 11 September 2013
The 2013 edition of OWASP (Open Web Application Security Project) top 10 has just been released and unfortunately Injections (not only SQL injection) is still the most common security problem. In this talk we will review the top 10 list of security problems looking at possible attack scenarios and ways to protect against them mostly from a PHP programmer perspective.
Techdays 2013 managing your hybrid cloud datacenter with scom 2012 and what’s...wwwally
Monitoring beperkt zich niet meer tot de status van een server in uw data center SCOM kijkt naar meer veel meer, ook naar componenten buiten de muren van uw data center. Na een introductie over de bestaande functionaliteit in SCOM 2012 laat ik in deze sessie zien dat SCOM in staat Azure applicaties te monitoren met de uitgebreide mogelijkheden van Application performance monitoring (APM) en dat vanuit een wereldwijd perspectief door gebruik te maken van Global Service monitor (GSM). Naast de monitoring van cloud dienst wil ik graag laten zien wat er binnen ACS en welke keuze u moet maken om dit goed in te richten. Daarnaast een overzicht van de verbeteringen die in APM binnen SCOM 2012 SP1 toegevoegd.
This document discusses managing hybrid cloud datacenters using System Center Operations Manager (SCOM) 2012 and its new features in Service Pack 1 (SP1). It provides an overview of where SCOM fits in private cloud architectures and what's new in SCOM 2012 SP1, including enhanced network, storage, and virtualization monitoring. It also demonstrates new capabilities for application performance monitoring, audit collection services, dynamic access control, and connecting SCOM to monitor cloud services and enable DevOps scenarios.
Trends and issues impacting database management systems circa 2004 included increasing complexity, lack of resources, and rapid changes in technology. New database management system versions were being released frequently with new features enabled for the internet and real-time usage. Emerging technologies like Java, .NET, and XML were becoming more widely adopted and database systems were taking on additional functionality beyond traditional querying and storage. The internet was driving changes requiring database administrators to have new skills to support increasingly complex enterprise infrastructure and applications.
This webinar discusses multi-tenant business intelligence in a cloud computing environment. It defines multi-tenancy as a single software instance serving multiple client organizations. The webinar examines four approaches to multi-tenant BI and the benefits of each. It also outlines the steps to onboard a new client for each approach. Finally, it discusses considerations for choosing a multi-tenant BI solution and promotes the unique combination of innovations from SwiftKnowledge.
This document provides an overview of Spring Cloud Data Flow, including what it is, its key components like Spring Batch and Spring Cloud Stream applications, how it can be used for batch jobs, tasks, and streams, and how it provides orchestration and deployment on platforms like Kubernetes. It also discusses Spring Cloud Data Flow's observability features and includes an interview discussing how one user implemented batch and stream processing using Spring Cloud Data Flow to ingest and process data in a more real-time and fault-tolerant manner.
"Industrial Internet IoT bootcamp" meetup, 11-5-2015 hosted by GE Digital at HackerDojo. Discussing topics ranging from IoT architecture to connectivity and protocols, cyber security, data science and industrial UX design.
This document discusses drivers and barriers to cloud migration as well as common issues organizations face. It proposes that F5 and VMware solutions can help by automating network changes, enabling live application migration between data centers, and providing a hybrid cloud architecture. F5 solutions such as BIG-IP can optimize performance, maximize availability, simplify management, and accelerate desktop virtualization deployments. The plug-in for VMware vSphere aims to simplify management by integrating F5 solutions directly into the vSphere client user interface.
The document discusses the security challenges faced by Pervasive DataCloud2, an integration platform as a service (iPaaS) company. It outlines Pervasive's approach to protecting customers and infrastructure from external threats such as firewall rules, monitoring of OS events and API usage, and vulnerability scanning. It also details how Pervasive protects against internal threats through operational protocols, audits, access controls and segregation of duties. Additionally, the document addresses protecting customers from each other on shared elastic resources through availability monitoring, data encryption, and limits on cloud functionality.
This document discusses migrating from Lotus Notes to the Force.com platform. It highlights how Force.com offers easier use, faster development, and lower costs than Lotus Notes. Specifically, Force.com allows up to 5 times faster development and can reduce total cost of ownership by 54% over 3 years. The document also outlines challenges in migrating from Lotus Notes due to complex security and lack of documentation. It introduces EscapeNotes, a company that provides automated assessment and migration technology to reduce migration costs and time from 1 month per application to just a few days.
It is mandatory for every medicine or pharma packaging to have a unique serial code or UID. Project is to build a web application that will provide tracking capabilities for the UID for pharma packaging of drugs. The track feature (TRACK n trace) will track the UID of each package by using vision based scanners, RFIDs, etc. and store the data into a local server. The server will be synced daily with a global server (we are looking for cloud based hosting platforms such as Windows Azure or amazon web services). We have to build the trace functionality (Track n TRACE) by building a web interface where a person with the UID can trace the shipment.
We have to keep historical records for as long as 10 years and build logic on basis of the UID state. We have to provide the details from the database as in when was this package manufactured, when was it shipped, etc. If the UID entered is faulty for example; it wasn’t ever manufactured or if it is over its expiration date then we have to generate corresponding errors and also maintain a log of such entries and send notification to the admins with details of IP, Geography or where the error generated.
Systems on the Edge—Your Stepping Stones into Oracle Public Cloud and the Paa...Lucas Jellema
Systems on the edge of an enterprise have special challenges regarding availability, scalability, security, and external interactions with systems or people.
This applies to external portals, B2B interactions, workflows that involve external actors, mobile APIs, and integrations with software-as-a-service (SaaS) instances. These systems are candidates to move to a public cloud and handle these requirements on the platform-as-a-service (PaaS) platform.
This session discusses Oracle PaaS cloud services, their mutual interaction, and how they can be leveraged to move these systems into the cloud: Oracle Java Cloud Service, Oracle Integration Cloud Service, Oracle Process Cloud Service, Oracle Mobile Cloud Service, Oracle SOA Suite Cloud Service, and Oracle Messaging Cloud Service.
Conference Session
Emergent architecture- a casestudy TREDSSyed Rayhan
Not much has been shared and talked about on Architecture as practiced on Agile projects. In fact, there is a concern among organizations small and large in adopting Agile practices/process that they have to abandon architecture in favor of agility. However, from experts we hear about this "emerging design and architecture," but not much explained in a way that dispels the myth around architecture on Agile projects. I would like to show step by step how we have done it on a large government project. (includes workflow automation, transactions, and data warehousing solutions, as well as spans multiple legacy components, and multiple agencies).
The participants will be able understand how architecture evolves on Agile projects and how to manage/guide this evolution of architecture in a way to meet the goals of the project.
Hp discover 2012 managing the virtualization explosionStefan Bergstein
HP presented its solution for virtualization management. It discussed how virtualization has led to more dynamic environments that are harder to manage. It then described HP's solution which aims to [1] monitor availability and performance across hybrid services, [2] report on service health and manage SLAs across domains, [3] optimize costs and performance of cloud services, and [4] anticipate issues before they occur. It focused on key products within its solution like the Virtualization Smart Plug-in (VISPI), Virtual Performance Viewer (vPV), Service Health Optimizer (SHO), and Service Health Analyzer.
Most software developers have heard about OWASP Top Ten, describing the 10 most critical security vulnerabilities that should be avoided in web applications.
However, in order to prevent them, developers must be aware of the proactive controls that should be incorporated from early stages of software development lifecycle.
This talk briefly discusses the OWASP Top Ten Proactive Controls and then maps them to the respective OWASP Vulnerabilities that each of them addresses.
The document discusses attacking HTML5. It begins with an introduction to HTML5 tags, attributes, and features like geolocation, drag and drop, and storage options. It then covers ways these features can be attacked, including stealing data from storage, spoofing data to cause CSRF or XSS, and dumping data from SQL storage. Specific attacks are demonstrated against cross-origin resource sharing, cross-document messaging, clickjacking, and exploiting new vulnerabilities with older attacks. The document concludes that while HTML5 provides new browser capabilities, attackers can find innovative ways to exploit these features maliciously.
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
Chuck Willis proposes a new OWASP project called the "OWASP Broken Web Applications Project" that would provide a virtual machine containing intentionally vulnerable web applications. The virtual machine would contain various vulnerable versions of applications like WebGoat, WordPress, and phpBB to allow testing of vulnerability scanning, code analysis, and other security tools. Willis is seeking help expanding and maintaining the project.
The document is a presentation on web application security given by Mohamed Ridha Chebbi. The presentation covers topics such as application insecurity, the top 10 risks in application security, addressing security problems through training and verification processes, different levels of application security standards, and protecting applications and data with infrastructure like web application firewalls and database firewalls.
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsMagno Logan
ZAP (Zed Attack Proxy) is an open source web application penetration testing tool that is easy to use, cross-platform, and has been downloaded over 6,300 times. It includes features like an intercepting proxy, active and passive scanners, a spider, and report generation that allow it to test web applications for vulnerabilities. ZAP has an active international development community, is improving rapidly with new releases, and has the potential to introduce more people to application security best practices.
Presented at #PHPLX 11 September 2013
The 2013 edition of OWASP (Open Web Application Security Project) top 10 has just been released and unfortunately Injections (not only SQL injection) is still the most common security problem. In this talk we will review the top 10 list of security problems looking at possible attack scenarios and ways to protect against them mostly from a PHP programmer perspective.
Techdays 2013 managing your hybrid cloud datacenter with scom 2012 and what’s...wwwally
Monitoring beperkt zich niet meer tot de status van een server in uw data center SCOM kijkt naar meer veel meer, ook naar componenten buiten de muren van uw data center. Na een introductie over de bestaande functionaliteit in SCOM 2012 laat ik in deze sessie zien dat SCOM in staat Azure applicaties te monitoren met de uitgebreide mogelijkheden van Application performance monitoring (APM) en dat vanuit een wereldwijd perspectief door gebruik te maken van Global Service monitor (GSM). Naast de monitoring van cloud dienst wil ik graag laten zien wat er binnen ACS en welke keuze u moet maken om dit goed in te richten. Daarnaast een overzicht van de verbeteringen die in APM binnen SCOM 2012 SP1 toegevoegd.
This document discusses managing hybrid cloud datacenters using System Center Operations Manager (SCOM) 2012 and its new features in Service Pack 1 (SP1). It provides an overview of where SCOM fits in private cloud architectures and what's new in SCOM 2012 SP1, including enhanced network, storage, and virtualization monitoring. It also demonstrates new capabilities for application performance monitoring, audit collection services, dynamic access control, and connecting SCOM to monitor cloud services and enable DevOps scenarios.
Trends and issues impacting database management systems circa 2004 included increasing complexity, lack of resources, and rapid changes in technology. New database management system versions were being released frequently with new features enabled for the internet and real-time usage. Emerging technologies like Java, .NET, and XML were becoming more widely adopted and database systems were taking on additional functionality beyond traditional querying and storage. The internet was driving changes requiring database administrators to have new skills to support increasingly complex enterprise infrastructure and applications.
This webinar discusses multi-tenant business intelligence in a cloud computing environment. It defines multi-tenancy as a single software instance serving multiple client organizations. The webinar examines four approaches to multi-tenant BI and the benefits of each. It also outlines the steps to onboard a new client for each approach. Finally, it discusses considerations for choosing a multi-tenant BI solution and promotes the unique combination of innovations from SwiftKnowledge.
This document provides an overview of Spring Cloud Data Flow, including what it is, its key components like Spring Batch and Spring Cloud Stream applications, how it can be used for batch jobs, tasks, and streams, and how it provides orchestration and deployment on platforms like Kubernetes. It also discusses Spring Cloud Data Flow's observability features and includes an interview discussing how one user implemented batch and stream processing using Spring Cloud Data Flow to ingest and process data in a more real-time and fault-tolerant manner.
"Industrial Internet IoT bootcamp" meetup, 11-5-2015 hosted by GE Digital at HackerDojo. Discussing topics ranging from IoT architecture to connectivity and protocols, cyber security, data science and industrial UX design.
This document discusses drivers and barriers to cloud migration as well as common issues organizations face. It proposes that F5 and VMware solutions can help by automating network changes, enabling live application migration between data centers, and providing a hybrid cloud architecture. F5 solutions such as BIG-IP can optimize performance, maximize availability, simplify management, and accelerate desktop virtualization deployments. The plug-in for VMware vSphere aims to simplify management by integrating F5 solutions directly into the vSphere client user interface.
The document discusses the security challenges faced by Pervasive DataCloud2, an integration platform as a service (iPaaS) company. It outlines Pervasive's approach to protecting customers and infrastructure from external threats such as firewall rules, monitoring of OS events and API usage, and vulnerability scanning. It also details how Pervasive protects against internal threats through operational protocols, audits, access controls and segregation of duties. Additionally, the document addresses protecting customers from each other on shared elastic resources through availability monitoring, data encryption, and limits on cloud functionality.
This document discusses migrating from Lotus Notes to the Force.com platform. It highlights how Force.com offers easier use, faster development, and lower costs than Lotus Notes. Specifically, Force.com allows up to 5 times faster development and can reduce total cost of ownership by 54% over 3 years. The document also outlines challenges in migrating from Lotus Notes due to complex security and lack of documentation. It introduces EscapeNotes, a company that provides automated assessment and migration technology to reduce migration costs and time from 1 month per application to just a few days.
It is mandatory for every medicine or pharma packaging to have a unique serial code or UID. Project is to build a web application that will provide tracking capabilities for the UID for pharma packaging of drugs. The track feature (TRACK n trace) will track the UID of each package by using vision based scanners, RFIDs, etc. and store the data into a local server. The server will be synced daily with a global server (we are looking for cloud based hosting platforms such as Windows Azure or amazon web services). We have to build the trace functionality (Track n TRACE) by building a web interface where a person with the UID can trace the shipment.
We have to keep historical records for as long as 10 years and build logic on basis of the UID state. We have to provide the details from the database as in when was this package manufactured, when was it shipped, etc. If the UID entered is faulty for example; it wasn’t ever manufactured or if it is over its expiration date then we have to generate corresponding errors and also maintain a log of such entries and send notification to the admins with details of IP, Geography or where the error generated.
Systems on the Edge—Your Stepping Stones into Oracle Public Cloud and the Paa...Lucas Jellema
Systems on the edge of an enterprise have special challenges regarding availability, scalability, security, and external interactions with systems or people.
This applies to external portals, B2B interactions, workflows that involve external actors, mobile APIs, and integrations with software-as-a-service (SaaS) instances. These systems are candidates to move to a public cloud and handle these requirements on the platform-as-a-service (PaaS) platform.
This session discusses Oracle PaaS cloud services, their mutual interaction, and how they can be leveraged to move these systems into the cloud: Oracle Java Cloud Service, Oracle Integration Cloud Service, Oracle Process Cloud Service, Oracle Mobile Cloud Service, Oracle SOA Suite Cloud Service, and Oracle Messaging Cloud Service.
Conference Session
Emergent architecture- a casestudy TREDSSyed Rayhan
Not much has been shared and talked about on Architecture as practiced on Agile projects. In fact, there is a concern among organizations small and large in adopting Agile practices/process that they have to abandon architecture in favor of agility. However, from experts we hear about this "emerging design and architecture," but not much explained in a way that dispels the myth around architecture on Agile projects. I would like to show step by step how we have done it on a large government project. (includes workflow automation, transactions, and data warehousing solutions, as well as spans multiple legacy components, and multiple agencies).
The participants will be able understand how architecture evolves on Agile projects and how to manage/guide this evolution of architecture in a way to meet the goals of the project.
Hp discover 2012 managing the virtualization explosionStefan Bergstein
HP presented its solution for virtualization management. It discussed how virtualization has led to more dynamic environments that are harder to manage. It then described HP's solution which aims to [1] monitor availability and performance across hybrid services, [2] report on service health and manage SLAs across domains, [3] optimize costs and performance of cloud services, and [4] anticipate issues before they occur. It focused on key products within its solution like the Virtualization Smart Plug-in (VISPI), Virtual Performance Viewer (vPV), Service Health Optimizer (SHO), and Service Health Analyzer.
IBM API Connect Deployment `Good Practices - IBM Think 2018Chris Phillips
The document discusses deployment best practices for API Connect and gateways. It recommends having high availability configurations with redundant components across multiple data centers to prevent single points of failure. It also suggests using Kubernetes to manage container-based deployments and enable automatic scaling and failover of services. The document provides examples of active-passive and active-active high availability patterns between two or more data centers.
Metrics that Matter-Approaches To Managing High Performing WebsitesBen Rushlo
Managing the technical quality of your site has become more complex and the number of metrics you collect has skyrocketed. Faced with hundreds of candidate metrics, how do you select those that are most meaningful? In this session you will learn which KPIs are key for successfully testing and managing your site. You will walk away with a holistic framework for managing site quality.
Windows Azure is a cloud computing platform that provides Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). It allows developers to build, deploy, and manage applications through Microsoft-managed data centers. The key services include compute, storage, networking, and development tools. Architectural principles for building reliable cloud applications on Windows Azure emphasize statelessness, redundancy, loose coupling between components, and scaling automatically based on demand.
This presentation discusses Oracle Real User Experience Insight, a solution for monitoring real user experience of web-based applications. It passively collects data on user sessions without impacting performance. This data provides insights into user transactions and identifies issues causing frustration. The presentation demonstrates how this solution helped a company identify the root cause of poor performance during a busy period, and provides integrations for common applications to provide automatic context for user actions.
WebMD implemented an IT service management system from Serena to track helpdesk requests from 1600 employees and 250 IT employees, featuring a ticket hierarchy from release management down to individual requests, automatic ticket titles and numbering, integrated approval processes, and customized reports for management and teams. The new system improved tracking of incidents, releases, employee requests and other IT processes compared to the previous manual system.
Mastering sp fx in larger projects yannick borghmansYannick Borghmans
This document summarizes a presentation about mastering SPFx in larger projects. It discusses state management with React and Redux, API management and security using Azure APIs, automated deployments with continuous integration and deployment, versioning solutions, and upgrading solutions. It also provides tips for debugging in production, splitting actions, creating global and reusable components, using PnP controls, and optimizing code quality.
Similar to Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC) (20)
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
I've been in the field of "Cyber Security" in its many incarnations for about 25 years. In that time I've learned some lessons, some the hard way.
Here are my slides presented at BSides New Orleans in April 2024.
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfRafal Los
Preparedness for cyber security incidents - of all kinds - is formulaic. Unfortunately, many organizations don't follow these five principles, or don't take them seriously enough.
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityRafal Los
It might seem crazy, but as a parent you're more prepared than you think to be a cyber security professional and leader. Check this talk to see what I, with 8yr old twins, can tell you from my experiences.
From management, to leadership, to threat analysis and incident response - it's all related.
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)Rafal Los
The document discusses the history and evolution of vulnerability management over the decades from the 1990s to present. It outlines some unfortunate trends like overreliance on spreadsheets and a focus only on missing patches. The talk recommends taking a lifecycle approach to vulnerability management including identifying vulnerabilities across the entire attack surface, triaging findings, advising on mitigation or deferral, tracking to resolution, and reporting on progress and accountability. Prioritizing this lifecycle approach and moving beyond only patching is key to effectively managing increasing IT complexity.
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Rafal Los
Vulnerability Management is more than patching your systems. A programmatic approach to risk reduction is critical, but often under-performing. This talk provides insight on how to implement a functional program.
When it comes to intrusions and breaches, most security teams take a short-game view. This means that they look at events as discrete and individual and focus efforts on short-term goals. While not universally detrimental, this view does harm the overall security of an organization in the "long game”. Additionally, “active defense” has been hopelessly confused by marketing hype even though its meaning is powerful to security’s operational goals.
This talk focuses on how enterprise security defenders can adjust their mindset, refocus, and beat adversaries by leveraging active defense over the long game. The basis of this talk is the extensive research done in support of the threat intelligence solution blueprint, a comprehensive guide to understanding, architecting, operationalizing and maturing a threat intelligence program.
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013Rafal Los
The Chief Financial Officer (CFO) plays a critical role in Enterprise Security - but rarely gets a direct glimpse at some of the challenges, and no-frills realities of the challenge of defending an enterprise. This talk provides 5 key take-aways for CFOs.
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
Security intelligence is only worthwhile if a relevant piece of information is obtained and analyzed in a timely manner and able to aide a rapid decision-making process to mitigate an imminent threat – this capability is part of the new school security approach of Detect, Respond, Resolve with greater efficiency and speed which all enterprises should be benefiting from.
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
The document discusses operationalizing security intelligence for mid-market companies. It defines security intelligence as the collective activities and artifacts that enable intelligence-driven security decisions. It outlines the key requirements for security intelligence as high-quality internal and external data, well-defined internal processes, qualified personnel, and integrated technology solutions. The goal is to help mid-market companies develop the capabilities to more effectively detect, respond to, and resolve security incidents.
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rafal Los
These are the talk slides from ISSA International - discussing the need to reboot Enterprise Security to facilitate better defensibility, more intelligent security, and better operational capabilities.
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Rafal Los
This document discusses cloud security from the perspectives of both cloud service consumers and providers. For consumers, it examines questions around the security of the cloud provider, assurances and transparency, resilience of services, and compliance. For providers, it considers how to deliver security across infrastructure, platform and software as a service models, provide assurance to customers, determine appropriate security measures, manage liabilities and risks, and address compliance needs. The document also notes challenges that are keeping some enterprises from fully adopting cloud services such as immature security models, migration difficulties, lack of transparency, absence of compliance mechanisms, and fear of vendor lock-in.
Threat modeling the security of the enterpriseRafal Los
Many IT Security professionals simply do not understand "threat modeling" - or how an attack at component A can ultimately affect component B, C, and D ... this example-based (and very, very high-level) talk hopes to get you interested in threat modeling and understanding how things are connected - in orer to give you a chance to build your defenses.
Making Measurable Gains - Contextualizing 'Secure' in BusinessRafal Los
What does ‘secure’ mean? Many security professionals work in information security for a large portion of their careers without ever being able to contextualize what they contribute to the businesses they work for - a crying shame. Being able to make sense of all the security-related process changes, widgets, technology and testing is critical to not only being successful at changing the mindset and culture of your business - but to actually making a lasting long-term impression. The only way to do this is to find ways to add business-context to security metrics - creating pseudo-business/security KPIs. This talk focuses not on how to ‘hack’ but how to effectively protect… and to make it relevant to your business so that it matters.
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
This is my talk from Security BSides Atlanta ... the talk discusses how the disconnect between security and business keeps getting wider, why, and what to do about it.
Software Security Assurance - Program Building (You're going to need a bigger...Rafal Los
This document outlines a 5-step approach to establishing a Software Security Assurance program:
1) Conduct an assessment of capabilities, resources, assets, and organization.
2) Develop a resource strategy and plan based on assessment.
3) Build intelligent processes that leverage existing processes and accommodate business needs.
4) Implement processes strategically and augment with automation technologies.
5) Continuously measure business impact and reassess goals as business priorities change.
The Future of Software Security AssuranceRafal Los
This talk is from ISSA International 2011, reflecting a look out over the horizon of Software Security Assurance for the next 20 years. Fundamentally, we must be able to start with 1 question - "Can you trust your software?" ...and if you can't say "Yes!" for certain, it's time to start somewhere.
Defying Logic - Business Logic Testing with AutomationRafal Los
It proposes a 3-phase framework: 1) Model valid business processes by monitoring normal user behavior. 2) Manipulate workflows by modifying states and transactions. 3) Analyze results to detect deviations from expected behavior, indicating potential logic defects. The goal is to overcome challenges of testing application logic, which is hard to define, domain-specific, and lacks consistent patterns. A demo is provided as a proof of concept for how such a framework could work. Contributions to further the research are welcomed.
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
The vast chasm between business and Information Security must be bridged. In this talk from AtlSecCon in Halifax (Mar 2011) I discuss how Information Security professionals can 'hack' the management and budget layers of their daily work to get things done more effectively.
Oh No They Didn't! 7 Web App Security Stories (v1.0)Rafal Los
This is the first iteration of a talk that goes through some of the more ..."interesting" failures in web app security over the 2009-2010 assessment calendar.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
2. Let’s descend
down the
rabbit-hole
OR
Better testing
through evolved
automation
3
3. Automation: Love & Hate
Web App Sec has a
LOVE|HATE
relationship with automation
LOVE
Automation speeds defect identification
Scanning is fast, quickly producing results
HATE
Attack surface coverage unclear*
Confuse automation’s purpose
*More on the coverage problem shortly…
4
6. Why Did My Scanner Miss X?
Two real reasons
•X required a specific sequence, or FLOW
•X required DATA to get there
?
Data + Flow no excuses
tools have data + logic… the result is
• IF
―smarter‖ automation
• No more ―crawl n’ hope‖
7
11. Functional vs. Security Testing
QA TEAM INFOSECURITY TEAM
Functions known Functions unknown
Application understood Application unknown
Rely on functional Rely on crawlers + experience +
specifications luck
Coverage known Coverage unknown
Highlight key business
Highlight ―found‖ functionality
logic
12
12. Hard Lessons Learned
Security analysts, tools [today]
aren’t equipped to properly
test highly complex
applications…
MISSING PIECES
• Understanding of application
• Functional mapping of application
• Application execution flow
• Valid test data
13
13. Bridging the Gaps
Is the kitchen-sink attack working?
Hint: It used to…not anymore
YOU ARE HERE IDEAL THEY ARE THERE
14
14. As All This Is Happening—
Technology Drives Forward…
15
15. Application State Is Changing
HTTP State
• Session/Cookie State
• Server State
Client State
• JavaScript State
• Silverlight/Flash State
—Impossible to decouple HTTP from Client State
—You can’t just crawl/guess your way through a modern,
complex application
16
16. Proposed Approach
Combine functional + security testing, compensating
for technology
• Address technology complexities
• Session states
• Code-complexity
• Address functional complexities
• Mapping application function as execution flows
• Mapping data for driving execution flows
17
21. Basic EFD Concepts
Graph(s) of flows through the application
- Nodes represent application states
- Edges represent different actions
- Paths between nodes represent state changes
- A set of paths is a flow
22
22. Execution Flow Action Types
What is an action?
• Something that causes a change in state
•A human, server or browser-driven event
Three types of actions
• Direct
• Supplemental
• Indirect
23
23. Direct Flow Actions
Actions which change the browser’s document context
• Causes an entirely new browser page
GET /?step2
Examples- P1 P2
• Following hyperlink
• Click login button
HTTP Direct
States Flow
(Pages) Action
24
24. Supplemental Flow Actions
Actions that change the state of the current document
• Client-side action, maintaining browser page
Examples: onLoad onMouseOver
– JavaScript menu
– Flash client event P1 P1.1 P1.1.1
Supplementary DOM
Flows States
25
25. Indirect Flow Actions
Actions automatically triggered by document context
• Usually for supporting data, modifying document state
Examples: <script src=dojo.js />
Indirect
– Site analytics (js) Dojo
Flow
Library
– Stock ticker
– XMLHTTPrequest
Direct Flow Pages 26
26. Basic ADM Concepts
An Application Data Map [ADM] defines flows with the
context of data
WHY?
• Flows mean nothing without DATA*
• Data should be interchangeable
• Monitoring requests make this impossible – no context
• Data can be direct or indirect
*Where not specifically defined within an action (at the
edge) the data values are assumed to be arbitrary
27
27. ADM + EFD Visually
Retrieve something from a safe:
1. Map the action
2. Add data (context) necessary to execute
3. Execute action using data
I need
something
from that safe
ACTION (open safe)
Combination:
R23, L12, R31, L9
28
28. ADM & EFD
Another example: Web site registration
Landing fork Login
Page
START
Registration
Page
Confirm
User Account
Data
29
29. Putting It All Together (1)
Functional
Level Compose
Login Send
Email
Drives
Technical
Level
30
30. Putting It All Together (2)
EFD
JS DOM HTTP
a GET /
g 8
b GET /?Login
7 c GET /?Compose
Drives
d onKeyPressed
a b (160 times)
1 2 3
e DIV.onMouseOver
c f
f LI.onChange
4 d g FORM.submit() GET /?Send
5
e
6
31
31. Putting It All Together (3)
JS DOM HTTP Data
a GET / N/A
b GET /?Login User,Pass,Captcha
c GET /?Compose N/A
Drives
d onKeyPressed Email_Text
(160 times)
e DIV.onMouseOver N/A
f LI.onChange Send_To_Address
g BTN.onClick GET /?Send N/A
32
33. Flow Based Threat Analysis
• Markup flow with Threat Information
• Prioritize testing Partners
Only
• Prioritize verified vulnerabilities
• Detect dangerous information flows
Checkout with Credit Card
Viewing Items
34
34. Coverage Analysis
Flows defined by functional specification can be compared to
security testing to determine gaps!
Q: ―How much of the application was tested?‖
A: ―The scanner was able to test 8 of the 12 flows, we need
to find out why/where it broke down‖
EFD can be referenced to determined where
ADM can be referenced to determine why
35
35. Flow-Based Reproduction
Demonstrate exactly how to reproduce a defect…
Demonstrate where application failed
• Steps executed
• Data used
2 3
Landing
1 fork
Page
START DATA
<script>
4 …
Registration
Page
36
36. Dysfunctional Use of EFD
Vulnerabilities happen
when using the
application in an
g 8
unintended way.
7
If we know the right a b
1 2 3
logic paths…
c f
4 d
5
e
6
37
37. Next Generation Automation
Automation of execution flows
• Build maps from user-driven functional scripts
• Recording/Playback
• Record HTTP requests
• Record JavaScript events
• Recording Client UI events
• Attacking
• [Re]Play Flows
• Auditing HTTP Parameters and HTML Inputs
38
38. Next: Automatic Exploration
• Similar paths can be easily enumerated
• JS Static Analysis to find other entry points to paths
Select Flight 1
Select Flight 2
Automatically
Found 39
39. For Next Time…
Layered automation-infused testing Concrete metrics & KPIs
Testing must be layered to fully In order to concretely prove
understand the attack surface of functional coverage, application
the application, including surface area coverage, defect
multiple levels of authentication, remediation and ultimately risk
business logic, data sets. reduction business-oriented
metrics and KPIs must be
gathered.
40
40. Get to it.
Insert cheesy cliché here…
…or you could just go do it.
Rafal Los
Email: Rafal@HP.com
Twitter: @Wh1t3Rabbit
Skype: Wh1t3Rabbit
Voice: (765) 247-2325
Blog: http://www.hp.com/go/white-rabbit
41