Real examples of hacking. Set of demos for JavaScript developers based on twitter like application written in ReactJs and NodeJs. We will run real code and real exploits during demo.
This document discusses secure ways to store user credentials and passwords. It introduces hashing and salting as techniques to securely store passwords. Hashing involves generating a unique string from a password, while salting adds a random string to the password before hashing. This prevents hashed passwords from being decrypted if the hash is obtained, and ensures even identical passwords have different hashes when salted differently. The document outlines how hashing and salting of passwords can be implemented when users register and login, providing a secure way to authenticate users without revealing their actual passwords.
6 ways to hack your JavaScript application by Viktor Turskyi OdessaJS Conf
This will be 6 live hacking demos. We will not do theory, but will see in practice how small and not always obvious errors lead to significant vulnerabilities in your JavaScript application.
Это будет 6 живых демо взлома. Идея не обсудить сухую теория, а увидеть на практике, как не всегда очевидные ошибки являются источником серьезных уязвимостей в твоем JavScript приложении.
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.
Describe briefly the OSI Reference model and its relevance to computer security. [4 Marks]
• Ans 1: The Open System Interconnection Model (OSI) is a standardized framework for describing how computers communicate with each other over a network system. The OSI model also conceptualizes how data flows through a stack of seven layers, beginning with the physical layer and continuing through the datalink, network, transport, session, presentation, and finally the application layer (Simoneau, 2006)
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...IJCNCJournal
Although there have been many solutions applied, the safety challenges related to the password security mechanism are not reduced. The reason for this is that while the means and tools to support password attacks are becoming more and more abundant, the number of transaction systems through the Internet is increasing, and new services systems appear. For example, IoT also uses password-based authentication.
In this context, consolidating password-based authentication mechanisms is critical, but monitoring measures for timely detection of attacks also play an important role in this battle. The password attack detection solutions being used need to be supplemented and improved to meet the new situation. In this
paper we propose a solution that automatically detects online password attacks in a way that is based solely on the network, using unsupervised learning techniques and protected application orientation. Our solution therefore minimizes dependence on the factors encountered by host-based or supervised learning solutions. The certainty of the solution comes from using the results of in-depth analysis of attack
characteristics to build the detection capacity of the mechanism. The solution was implemented experimentally on the real system and gave positive results.
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5sixdub
This document discusses how threat actors can abuse third-party services like social media, cloud storage, and communication platforms to establish command and control (C2) infrastructure and exfiltrate data. It provides examples of real-world adversary campaigns that have leveraged services like Twitter, GitHub, Yahoo Mail, Dropbox, Google Forms, and others. The document argues that detecting such abuse is challenging as it can mimic normal user behavior, but outlines approaches like analyzing network flows, process correlations, and anomalies to help identify compromised systems communicating with third parties for malicious purposes. Detecting these threats requires collecting and correlating diverse endpoint and network data sources.
Defense in Depth: Lessons Learned Securing 200,000 SitesPantheon
Have you ever heard: "HTTPS will slow down your site"? How about: "I'm too small of a website, no one will want to hack me."? All too often security misconceptions lead to security apathy. Join us as we debunk these security myths and more!
We’ll start at the 10,000-foot level, reviewing common myths about secure development, then zoom in closer for a look at security best practices, concluding with a deep-dive into a few of the most effective attack mitigation strategies. With the battlescars to backup the information, our presenters will leave you with strategies to handle securing your project with confidence.
This document discusses secure ways to store user credentials and passwords. It introduces hashing and salting as techniques to securely store passwords. Hashing involves generating a unique string from a password, while salting adds a random string to the password before hashing. This prevents hashed passwords from being decrypted if the hash is obtained, and ensures even identical passwords have different hashes when salted differently. The document outlines how hashing and salting of passwords can be implemented when users register and login, providing a secure way to authenticate users without revealing their actual passwords.
6 ways to hack your JavaScript application by Viktor Turskyi OdessaJS Conf
This will be 6 live hacking demos. We will not do theory, but will see in practice how small and not always obvious errors lead to significant vulnerabilities in your JavaScript application.
Это будет 6 живых демо взлома. Идея не обсудить сухую теория, а увидеть на практике, как не всегда очевидные ошибки являются источником серьезных уязвимостей в твоем JavScript приложении.
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.
Describe briefly the OSI Reference model and its relevance to computer security. [4 Marks]
• Ans 1: The Open System Interconnection Model (OSI) is a standardized framework for describing how computers communicate with each other over a network system. The OSI model also conceptualizes how data flows through a stack of seven layers, beginning with the physical layer and continuing through the datalink, network, transport, session, presentation, and finally the application layer (Simoneau, 2006)
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...IJCNCJournal
Although there have been many solutions applied, the safety challenges related to the password security mechanism are not reduced. The reason for this is that while the means and tools to support password attacks are becoming more and more abundant, the number of transaction systems through the Internet is increasing, and new services systems appear. For example, IoT also uses password-based authentication.
In this context, consolidating password-based authentication mechanisms is critical, but monitoring measures for timely detection of attacks also play an important role in this battle. The password attack detection solutions being used need to be supplemented and improved to meet the new situation. In this
paper we propose a solution that automatically detects online password attacks in a way that is based solely on the network, using unsupervised learning techniques and protected application orientation. Our solution therefore minimizes dependence on the factors encountered by host-based or supervised learning solutions. The certainty of the solution comes from using the results of in-depth analysis of attack
characteristics to build the detection capacity of the mechanism. The solution was implemented experimentally on the real system and gave positive results.
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5sixdub
This document discusses how threat actors can abuse third-party services like social media, cloud storage, and communication platforms to establish command and control (C2) infrastructure and exfiltrate data. It provides examples of real-world adversary campaigns that have leveraged services like Twitter, GitHub, Yahoo Mail, Dropbox, Google Forms, and others. The document argues that detecting such abuse is challenging as it can mimic normal user behavior, but outlines approaches like analyzing network flows, process correlations, and anomalies to help identify compromised systems communicating with third parties for malicious purposes. Detecting these threats requires collecting and correlating diverse endpoint and network data sources.
Defense in Depth: Lessons Learned Securing 200,000 SitesPantheon
Have you ever heard: "HTTPS will slow down your site"? How about: "I'm too small of a website, no one will want to hack me."? All too often security misconceptions lead to security apathy. Join us as we debunk these security myths and more!
We’ll start at the 10,000-foot level, reviewing common myths about secure development, then zoom in closer for a look at security best practices, concluding with a deep-dive into a few of the most effective attack mitigation strategies. With the battlescars to backup the information, our presenters will leave you with strategies to handle securing your project with confidence.
Biggest info security mistakes security innovation inc.uNIX Jim
The document discusses five common information security mistakes organizations make: 1) over-relying on network defenses and not focusing enough on application security, 2) believing technology alone will solve security issues without proper training and processes, 3) making assumptions about people's abilities and behaviors, 4) thinking secure software is too costly, and 5) focusing only on recent threats instead of long-term strategies. It provides examples to illustrate these mistakes and recommends organizations do a self-assessment, create an internal security team, ask tough questions, and educate employees to avoid these issues.
The document discusses the history and evolution of DevOps practices over time, from concepts like daily builds in the 1990s to more recent approaches like infrastructure as code and serverless architectures. It provides an overview of key figures and texts that helped establish ideas like continuous integration, continuous delivery, and site reliability engineering. The document also shares the author's perspective on what commercial security tools have been developed for DevOps workflows and mentions some open source collaboration and automation tools.
The document provides guidance on using cheat sheets to study for the EC-Council Certified Ethical Hacker exam. It recommends printing out the cheat sheets, copying them by hand multiple times, and adding notes to help master the concepts and recall important information during the exam without needing the original sheets. A chapter map outlines the topics covered in the various cheat sheets to aid preparation.
Security engineering 101 when good design & security work togetherWendy Knox Everette
Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users. There are three main types of XSS attacks: reflected XSS, stored XSS, and DOM-based XSS. XSS has been one of the top vulnerabilities on the OWASP Top Ten list for many years. While XSS attacks can compromise user sessions and steal sensitive data, developers can prevent XSS through proper input sanitization and output encoding. As web applications continue to grow in use, jobs in web application security and penetration testing are also expected to increase significantly in the coming years.
Do you do enough to keep your source code secure from hackers and thieves? Here's the four-step plan we used to lock down our vital intellectual property.
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
1. The document summarizes a presentation on web security given to the Seattle PHP Users Group. It discusses common web vulnerabilities like SQL injection, cross-site scripting, and insecure direct object references.
2. It provides tips for protecting websites such as implementing a web application firewall, securing file permissions, and using HTML5 features like Content Security Policy headers.
3. The presentation emphasizes that security is an ongoing process of monitoring for updates, testing with hacking tools, and seeking outside reviews of a site's security.
PyConline AU 2021 - Things might go wrong in a data-intensive applicationHua Chu
We are going to go behind the scene of building a data-intensive system. The story includes challenges I have faced and what I learned from those incidents.
https://2021.pycon.org.au/program/8hlvvs/
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
The document discusses emerging threats to web applications and strategies for testing applications to identify vulnerabilities. It finds that nearly half of all vulnerabilities are in web applications, with cross-site scripting and SQL injection being most common. Many vulnerabilities have no patches available yet. New attack types like client-side vulnerabilities are also emerging. The document advocates integrating security testing into the development process to help developers write more secure code and find issues early.
The document provides a list of interview questions for information security positions. The questions cover a wide range of technical and theoretical topics, and are designed to assess candidates' knowledge as well as their ability to think through problems. The questions probe areas like security news sources, encryption vs compression, HTTP vs HTML, cross-site scripting, cryptography, networking, and organizational priorities. The goal is to evaluate candidates' familiarity with the field as well as their composure when facing unfamiliar questions.
The document provides a list of interview questions for information security positions. The questions cover a range of technical and theoretical topics related to information security. They are designed to assess candidates' knowledge as well as their ability to think through problems and articulate their thought processes, even without preparation. The questions range from easy to difficult, and include some "trick" questions intended to expose technical weaknesses rather than test cunning.
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Amazon Web Services
The daily volume of cyberattacks that target applications and the frequency of associated breaches is overwhelming to even the most experienced security professionals. We cover important lessons learned from F5 Labs’ analysis of global attack data and breach root causes that are attributed to application threats. This helps you understand attackers’ top targets and motives and the changing application security landscape of systems used to launch application attacks. Addressing these threats requires practical controls that organizations can be successful with. We offer tips and tricks that you can work on immediately to address common application threats and appropriately prioritize your application security controls.
Java application security the hard way - a workshop for the serious developerSteve Poole
Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but it’s hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here
This document provides guidelines for elementary information security practices for organizations. It discusses basic steps organizations can take to improve security without spending much money. The guidelines are divided into sections on basic security, web application security, network/host security, and include recommendations such as using strong passwords, encrypting sensitive data, updating software regularly, conducting security awareness training, and closing unnecessary network ports. The overall aim is to help organizations identify and address common security mistakes and vulnerabilities.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...BAINIDA
This document discusses using big data analytics to enhance security. It begins by defining big data analytics and describing security trends like the evolution from intrusion detection systems to security information and event management (SIEM) to next-generation SIEM using big data analytics. An example of an advanced persistent threat is provided. The document then discusses integrating security analytics with open source tools like SQRRL and Prelert. Finally, it covers how to apply these concepts by determining what security-related data can be collected and two options for implementing big data analytics in a security program.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Why security is the kidney not the tail of the dog v3Ernest Staats
Security is sometimes thought of being the tail that wags the Dog. A better analogy is that Cyber Security should be the Kidneys of the organization taking out the waste while allowing the useful information to pass.
How to create a high performance excel engine in java scriptViktor Turskyi
You have complex mathematical models (millions of cells, hundreds thousand of formulas) in Excel. And you need to run it browser and mobile without excel. I will talk how we created own spreadsheet engine compatible with MS Excel which allows us to run any Excel model without Excel. I will talk about:
* Architecture
* Algorithms
* JavaScript performance optimization.
Having 15-year experience in web development, I have tried my hands at dozens of validation libraries but didn’t manage to find the one to handle all my tasks. 5 years ago we decided to create a validator which will better than any other. Now LIVR supports a dozen of programming languages and it is battle tested in hudrends of projects. I will talk about the ideas behind, about architecture, use cases, pros and cons. Will show real examples.
More Related Content
Similar to KharkivJS 2018 Information Security Practice
Biggest info security mistakes security innovation inc.uNIX Jim
The document discusses five common information security mistakes organizations make: 1) over-relying on network defenses and not focusing enough on application security, 2) believing technology alone will solve security issues without proper training and processes, 3) making assumptions about people's abilities and behaviors, 4) thinking secure software is too costly, and 5) focusing only on recent threats instead of long-term strategies. It provides examples to illustrate these mistakes and recommends organizations do a self-assessment, create an internal security team, ask tough questions, and educate employees to avoid these issues.
The document discusses the history and evolution of DevOps practices over time, from concepts like daily builds in the 1990s to more recent approaches like infrastructure as code and serverless architectures. It provides an overview of key figures and texts that helped establish ideas like continuous integration, continuous delivery, and site reliability engineering. The document also shares the author's perspective on what commercial security tools have been developed for DevOps workflows and mentions some open source collaboration and automation tools.
The document provides guidance on using cheat sheets to study for the EC-Council Certified Ethical Hacker exam. It recommends printing out the cheat sheets, copying them by hand multiple times, and adding notes to help master the concepts and recall important information during the exam without needing the original sheets. A chapter map outlines the topics covered in the various cheat sheets to aid preparation.
Security engineering 101 when good design & security work togetherWendy Knox Everette
Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users. There are three main types of XSS attacks: reflected XSS, stored XSS, and DOM-based XSS. XSS has been one of the top vulnerabilities on the OWASP Top Ten list for many years. While XSS attacks can compromise user sessions and steal sensitive data, developers can prevent XSS through proper input sanitization and output encoding. As web applications continue to grow in use, jobs in web application security and penetration testing are also expected to increase significantly in the coming years.
Do you do enough to keep your source code secure from hackers and thieves? Here's the four-step plan we used to lock down our vital intellectual property.
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
1. The document summarizes a presentation on web security given to the Seattle PHP Users Group. It discusses common web vulnerabilities like SQL injection, cross-site scripting, and insecure direct object references.
2. It provides tips for protecting websites such as implementing a web application firewall, securing file permissions, and using HTML5 features like Content Security Policy headers.
3. The presentation emphasizes that security is an ongoing process of monitoring for updates, testing with hacking tools, and seeking outside reviews of a site's security.
PyConline AU 2021 - Things might go wrong in a data-intensive applicationHua Chu
We are going to go behind the scene of building a data-intensive system. The story includes challenges I have faced and what I learned from those incidents.
https://2021.pycon.org.au/program/8hlvvs/
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
The document discusses emerging threats to web applications and strategies for testing applications to identify vulnerabilities. It finds that nearly half of all vulnerabilities are in web applications, with cross-site scripting and SQL injection being most common. Many vulnerabilities have no patches available yet. New attack types like client-side vulnerabilities are also emerging. The document advocates integrating security testing into the development process to help developers write more secure code and find issues early.
The document provides a list of interview questions for information security positions. The questions cover a wide range of technical and theoretical topics, and are designed to assess candidates' knowledge as well as their ability to think through problems. The questions probe areas like security news sources, encryption vs compression, HTTP vs HTML, cross-site scripting, cryptography, networking, and organizational priorities. The goal is to evaluate candidates' familiarity with the field as well as their composure when facing unfamiliar questions.
The document provides a list of interview questions for information security positions. The questions cover a range of technical and theoretical topics related to information security. They are designed to assess candidates' knowledge as well as their ability to think through problems and articulate their thought processes, even without preparation. The questions range from easy to difficult, and include some "trick" questions intended to expose technical weaknesses rather than test cunning.
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Amazon Web Services
The daily volume of cyberattacks that target applications and the frequency of associated breaches is overwhelming to even the most experienced security professionals. We cover important lessons learned from F5 Labs’ analysis of global attack data and breach root causes that are attributed to application threats. This helps you understand attackers’ top targets and motives and the changing application security landscape of systems used to launch application attacks. Addressing these threats requires practical controls that organizations can be successful with. We offer tips and tricks that you can work on immediately to address common application threats and appropriately prioritize your application security controls.
Java application security the hard way - a workshop for the serious developerSteve Poole
Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but it’s hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here
This document provides guidelines for elementary information security practices for organizations. It discusses basic steps organizations can take to improve security without spending much money. The guidelines are divided into sections on basic security, web application security, network/host security, and include recommendations such as using strong passwords, encrypting sensitive data, updating software regularly, conducting security awareness training, and closing unnecessary network ports. The overall aim is to help organizations identify and address common security mistakes and vulnerabilities.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...BAINIDA
This document discusses using big data analytics to enhance security. It begins by defining big data analytics and describing security trends like the evolution from intrusion detection systems to security information and event management (SIEM) to next-generation SIEM using big data analytics. An example of an advanced persistent threat is provided. The document then discusses integrating security analytics with open source tools like SQRRL and Prelert. Finally, it covers how to apply these concepts by determining what security-related data can be collected and two options for implementing big data analytics in a security program.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Why security is the kidney not the tail of the dog v3Ernest Staats
Security is sometimes thought of being the tail that wags the Dog. A better analogy is that Cyber Security should be the Kidneys of the organization taking out the waste while allowing the useful information to pass.
Similar to KharkivJS 2018 Information Security Practice (20)
How to create a high performance excel engine in java scriptViktor Turskyi
You have complex mathematical models (millions of cells, hundreds thousand of formulas) in Excel. And you need to run it browser and mobile without excel. I will talk how we created own spreadsheet engine compatible with MS Excel which allows us to run any Excel model without Excel. I will talk about:
* Architecture
* Algorithms
* JavaScript performance optimization.
Having 15-year experience in web development, I have tried my hands at dozens of validation libraries but didn’t manage to find the one to handle all my tasks. 5 years ago we decided to create a validator which will better than any other. Now LIVR supports a dozen of programming languages and it is battle tested in hudrends of projects. I will talk about the ideas behind, about architecture, use cases, pros and cons. Will show real examples.
The working architecture of node js applications open tech week javascript ...Viktor Turskyi
We launched more than 60 projects, developed a web application architecture that is suitable for projects of completely different sizes. In the talk, I'll analyze this architecture, will consider the question what to choose “monolith or microservices”, will show the main architectural mistakes that developers make.
Viktor Turskyi presented Mole RPC, a new JSON RPC library he created. He discussed why existing JSON RPC libraries did not meet his needs of being transport agnostic, supporting bidirectional communication, and having a modern API. Mole RPC supports multiple transports including WebSockets, HTTP, MQTT and more. It aims to have a lightweight core with extensible transports and easy testing of new transports. Viktor outlined several use cases for Mole RPC and plans to improve documentation, finalize the API, and create additional transports prior to a 1.0 release.
"Offline mode for a mobile application, redux on server and a little bit abou...Viktor Turskyi
The talk covers the following topics:
1. Introduction to event sourcing.
2. How event sourcing and Redux are similar.
3. How to implement offline mode for React Native application.
4. How everything from above was run in a production.
The working architecture of NodeJs applicationsViktor Turskyi
Talk at KharkivJs 2017, Viktor Turskyi.
Why talk about the architecture?
1) 99% of NodeJs examples on Internet are “hello world” examples
2) A lot of misunderstandings around architectural patterns
Language Independent Validation Rules 2.0, Viktor Turskyi, talk at OSDN 2017Viktor Turskyi
Universal data validation specification (http://livr-spec.org/) Main ideas:
* Rules are declarative and language independent
* Any number of rules for each field
* Validator should return together errors for all fields
* Exclude all fields that do not have validation rules described
* Possibility to validate complex hierarchical structures
* Easy to describe and understand validation
* Returns understandable error codes (neither error messages nor numeric codes)
* Easy to implement own rules (usually you will have several in every project)
* Rules should be able to change results output ("trim", "nested_object", for example)
* Multipurpose (user input validation, configs validation, contracts programming etc)
* Unicode support
There are implementations for:
* Perl
* JavaScript
* PHP
* Ruby
* Python
* Erlang
How to extract information from text with SemgrexViktor Turskyi
Semgrex allows users to extract information from text using patterns that match syntactic dependencies in sentences. It provides examples of patterns that match noun subjects, direct objects, pronouns, and regular expressions. The document also includes links to the Semgrex npm package, a demo application on GitHub, and resources for natural language processing and syntactic dependencies.
How to translate your Single Page Application - Webcamp 2016 (en)Viktor Turskyi
1. The document discusses internationalization (I18N) and localization (L10N) for single page applications, specifically how to translate text strings.
2. It recommends using keys in the form of English phrases instead of numeric or string keys, and using the Gettext standard which supports plural forms and passing context between source and translated strings.
3. Examples are given of implementing I18N in JavaScript using libraries like Jed and integrating translations with React applications.
Itsquiz is a cloud-based testing platform that provides knowledge assessment and skills testing solutions for educational institutions, businesses, and individuals. It offers comprehensive analytics, an innovative quiz marketplace, and tools for talent identification and recruitment. Itsquiz aims to build a global network for knowledge testing and obtain a leadership position in the cloud-based qualifications testing market. It has developed a minimum viable product and seeks funding to further develop the platform and launch marketing campaigns to reach its goal of 10 million users.
How to create isomorphic application in React and Redux. What pitfalls will you meet during the work? WebbyLab moves isomorphic production app to Github (https://github.com/webbylab/itsquiz-wall)
Kharkiv JS 2015: Боль и радость создания изоморфных приложений на ReactJS (RU)Viktor Turskyi
Опыт создания изоморфного приложения на React - подводные камни, с которыми предется столкнуться.
Приложение - http://wall.itsquiz.com
Исходники - https://github.com/WebbyLab/itsquiz-wall
Language Independent Validation Rules (LIVR)Viktor Turskyi
This document introduces Language Independent Validation Rules (LIVR), a universal validator that allows defining validation rules in a declarative and language-independent way. LIVR rules can validate different data types including nested objects, lists, and custom objects. Rules are easy to describe and understand. LIVR has been implemented in several programming languages and provides a universal test suite. Examples demonstrate validating registration data, nested objects, lists, list of objects, and modifying output.
This document discusses various Perl concepts including:
- Using local to localize variables within a block
- Slurping a file into a scalar variable
- Using $_ as the default iterator variable in a foreach loop
- Using Try::Tiny to catch exceptions
- Creating private methods using Sub::Name
- Undefined variables after iterating over an array with foreach
- Matching regular expressions
- Best practices for module loading with @INC and PERL5LIB
ACEP Magazine edition 4th launched on 05.06.2024Rahul
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
A review on techniques and modelling methodologies used for checking electrom...nooriasukmaningtyas
The proper function of the integrated circuit (IC) in an inhibiting electromagnetic environment has always been a serious concern throughout the decades of revolution in the world of electronics, from disjunct devices to today’s integrated circuit technology, where billions of transistors are combined on a single chip. The automotive industry and smart vehicles in particular, are confronting design issues such as being prone to electromagnetic interference (EMI). Electronic control devices calculate incorrect outputs because of EMI and sensors give misleading values which can prove fatal in case of automotives. In this paper, the authors have non exhaustively tried to review research work concerned with the investigation of EMI in ICs and prediction of this EMI using various modelling methodologies and measurement setups.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
We have compiled the most important slides from each speaker's presentation. This year’s compilation, available for free, captures the key insights and contributions shared during the DfMAy 2024 conference.
6th International Conference on Machine Learning & Applications (CMLA 2024)ClaraZara1
6th International Conference on Machine Learning & Applications (CMLA 2024) will provide an excellent international forum for sharing knowledge and results in theory, methodology and applications of on Machine Learning & Applications.
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...University of Maribor
Slides from talk presenting:
Aleš Zamuda: Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapter and Networking.
Presentation at IcETRAN 2024 session:
"Inter-Society Networking Panel GRSS/MTT-S/CIS
Panel Session: Promoting Connection and Cooperation"
IEEE Slovenia GRSS
IEEE Serbia and Montenegro MTT-S
IEEE Slovenia CIS
11TH INTERNATIONAL CONFERENCE ON ELECTRICAL, ELECTRONIC AND COMPUTING ENGINEERING
3-6 June 2024, Niš, Serbia
Low power architecture of logic gates using adiabatic techniquesnooriasukmaningtyas
The growing significance of portable systems to limit power consumption in ultra-large-scale-integration chips of very high density, has recently led to rapid and inventive progresses in low-power design. The most effective technique is adiabatic logic circuit design in energy-efficient hardware. This paper presents two adiabatic approaches for the design of low power circuits, modified positive feedback adiabatic logic (modified PFAL) and the other is direct current diode based positive feedback adiabatic logic (DC-DB PFAL). Logic gates are the preliminary components in any digital circuit design. By improving the performance of basic gates, one can improvise the whole system performance. In this paper proposed circuit design of the low power architecture of OR/NOR, AND/NAND, and XOR/XNOR gates are presented using the said approaches and their results are analyzed for powerdissipation, delay, power-delay-product and rise time and compared with the other adiabatic techniques along with the conventional complementary metal oxide semiconductor (CMOS) designs reported in the literature. It has been found that the designs with DC-DB PFAL technique outperform with the percentage improvement of 65% for NOR gate and 7% for NAND gate and 34% for XNOR gate over the modified PFAL techniques at 10 MHz respectively.
International Conference on NLP, Artificial Intelligence, Machine Learning an...gerogepatton
International Conference on NLP, Artificial Intelligence, Machine Learning and Applications (NLAIM 2024) offers a premier global platform for exchanging insights and findings in the theory, methodology, and applications of NLP, Artificial Intelligence, Machine Learning, and their applications. The conference seeks substantial contributions across all key domains of NLP, Artificial Intelligence, Machine Learning, and their practical applications, aiming to foster both theoretical advancements and real-world implementations. With a focus on facilitating collaboration between researchers and practitioners from academia and industry, the conference serves as a nexus for sharing the latest developments in the field.
3. Why I talk about security?
1. I switched to software development from IT security
2. I work with software engineers for many years and this topic is highly
undercovered
3. I work with different businesses for many years and risks are highly
underestimated
4. Governmental regulations (GDPR, PCI DSS etc)
5. It makes you a better software engineer
6. It is FUN!!
4. What I will talk about?
1. Not about OWASP (Open Web Application Security Project) Top 10 report
2. Not about security tools (metasploit, sqlmap etc)
3. Not about content security policy.
4. Only practical cases that we’ve met in real life.
5. JavaScript based demos
6. Real cases simulated in environment
a. React frontend
b. NodeJs backend
c. Set of exploits
7. Case 1: Takeaways
Mongo ID predictable
UUID v1 predictable (unique, but not random)
UUID v4 predictable
Always think about predictability of URLs (keys, etc)
15. Case 5: Takeaways
Do not use regex for extracting script tags
Use sanitizer with tags and attrs white-listing
CORS will allow you do cross domain request
XSS worms issues
20. Case 8..14:
Case 8: Clickjacking
Case 9: Tabnapping
Case 10: CSRF (cookie, basic auth)
Case 11: SQL Injection (pass through ORM)
Case 12: ORM Injection
Case 13: Unsafe HTTPS Redirect
Case 14: Target=_blank (without rel="noopener noreferrer")
21. What I like information security?
Information security is about understanding how things work
It makes you a better developer
You can create more complex projects
It is fun