In May, a security researcher reported a vulnerability in a Shopify microservice and demonstrated how it could be used to access keys from the Google Cloud metadata API. This could have led to a cluster takeover, for which Shopify awarded $25k through its bug bounty program.
Shane will share his experience responding to the report, analyzing Kubernetes audit logs, and hardening the cluster to block the escalation path. Together, Greg and Shane will describe some example Kubernetes audit log queries that can help discover unusual activity in the form of Kubernetes API access, and assess the impact of credential exposure, such as in this report. The collection of example queries will be released for use by the Kubernetes community and we will also share some hardening best practices.
https://kccna18.sched.com/event/GrZf/shopifys-25k-bug-report-and-the-cluster-takeover-that-didnt-happen-greg-castle-google-shane-lawrence-shopify
In this session we will be learning how to start using ContentBox, and from the beginning, setup your site to be containerized and deployed with Continuous Integration to a Cloud Provider on a Docker Swarm. You will learn about Ortus Solution's ( Docker Partner ) docker images for CommandBox and ContentBox, and how to build your site, dockerize, and then deploy (using only free tools), to the cloud of your choice. If the live demo gods are on our side, I will deploy a new site to Digital Ocean at the end of this session.
Presented at Into the Box 2019
Learn how we built search for Bitbucket Cloud using a Microservices approach, leveraging the foundation we shipped in Bitbucket Server. Hear about the challenges faced when building search for millions of users, building on top of the Bitbucket Connect platform, the approach the team took, and the lessons we learned.
Stefan Saasen, Bitbucket Architect, Atlassian
Integration Testing on Steroids: Run Your Tests on the Real ThingsAtlassian
At AtlasCamp 2018, Jon Mort and Mark Gibson from Adaptavist gave a presentation about how they brought Arquillian into the Atlassian SDK.
In this talk, Jörg Brandstätt from Resolution will help you to put their learnings into practice and take your tests to the next level. He will also share how Resolution is using this approach to test some of the Top 30 Server & Data Center apps.
The session covers how you can run your test code on remote Server and Data Center instances with different databases ad-hoc from within your IDE and during the build process, and provide detailed information about how to set up Maven to execute your tests within your Bitbucket build pipelines.
Building a Cerberus App Without Losing Our Heads: The Passage to a Cross-Plat...Atlassian
Dragos Ciupureanu & Sandesh Kumar from Adaptavist share their experiences in expanding an app from a server only offering, to a top-selling and highly rated cross-platform app available for Server, Data Center and Cloud.
They’ll share insights into the compromises and challenges they faced in developing the app for multiple environments while ensuring they didn’t let their users down in the process.
Their presentation will be interactive, allowing the audience to be part of a choose your own adventure style journey that will explore the tools and processes they have discovered that help them be successful at speed.
Scaling Indexing and Replication in Jira Data Center AppsAtlassian
Building an app that scales well for Jira Data Center can be challenging, especially with regards to index replication.
Andriy Yakovlev, a Principal Premier Support Engineer at Atlassian will share some common problems customers have experienced with apps on large instances, and how to prevent them.
Attendees will learn about how indexing works in Jira, and how indexes are replicated in Jira Data Center, as well as what to look out for to prevent problems before they happen.
Leaning into Server to Cloud App MigrationAtlassian
Interest in Atlassian Cloud by Server (and Data Center) customers has been steadily increasing, propelled by new cloud capabilities like SAML authentication, SCIM provisioning, local data centers for performance, encryption at rest, guaranteed uptime, unlimited storage, and the ever-increasing availability of essential Marketplace apps.
To anticipate increasing demand, the time has come to develop a standard app migration framework that makes migrating app data from Server to Cloud feasible, intuitive, reliable, secure, and above all, self-serve.
In this talk, Chris Clarke will provide an overview of our emerging app data migration architecture, how it will integrate into our evolving Cloud Migration Assistants, and what we’d need from Marketplace vendors to make it work. App migration will be a key part of every customer’s migration journey and we will only be successful by working on it together.
Preparing for Data Residency and Custom DomainsAtlassian
Atlassian customers have long requested the ability to control where they host their content in Atlassian Cloud. They’ve also long desired the ability to configure their cloud products to be accessible via a custom domain. These features are coming soon to Jira and Confluence Cloud! What will this mean for Marketplace app developers?
Join Nuwan Ginige, Principal Product Manager on the Cloud Platform team, as he walks through how the evolution of Atlassian’s cloud platform has shaped the development of these capabilities. Learn how these changes will impact Marketplace apps, and how you can get involved in app vendor early access progress before general availability.
Spec-first API Design for Speed and SafetyAtlassian
Spec-first API design dramatically tightens and improves the development feedback loop without wasting effort on artifacts that can't be used.
The Jira Software team has used this approach very successfully to build APIs that we expose to both internal and external consumers.
In this session, James Navin will walk you through the spec-first approach and demonstrate the benefits that it brings. He will also highlight some tools that can be used to implement a spec-first development approach.
In this session we will be learning how to start using ContentBox, and from the beginning, setup your site to be containerized and deployed with Continuous Integration to a Cloud Provider on a Docker Swarm. You will learn about Ortus Solution's ( Docker Partner ) docker images for CommandBox and ContentBox, and how to build your site, dockerize, and then deploy (using only free tools), to the cloud of your choice. If the live demo gods are on our side, I will deploy a new site to Digital Ocean at the end of this session.
Presented at Into the Box 2019
Learn how we built search for Bitbucket Cloud using a Microservices approach, leveraging the foundation we shipped in Bitbucket Server. Hear about the challenges faced when building search for millions of users, building on top of the Bitbucket Connect platform, the approach the team took, and the lessons we learned.
Stefan Saasen, Bitbucket Architect, Atlassian
Integration Testing on Steroids: Run Your Tests on the Real ThingsAtlassian
At AtlasCamp 2018, Jon Mort and Mark Gibson from Adaptavist gave a presentation about how they brought Arquillian into the Atlassian SDK.
In this talk, Jörg Brandstätt from Resolution will help you to put their learnings into practice and take your tests to the next level. He will also share how Resolution is using this approach to test some of the Top 30 Server & Data Center apps.
The session covers how you can run your test code on remote Server and Data Center instances with different databases ad-hoc from within your IDE and during the build process, and provide detailed information about how to set up Maven to execute your tests within your Bitbucket build pipelines.
Building a Cerberus App Without Losing Our Heads: The Passage to a Cross-Plat...Atlassian
Dragos Ciupureanu & Sandesh Kumar from Adaptavist share their experiences in expanding an app from a server only offering, to a top-selling and highly rated cross-platform app available for Server, Data Center and Cloud.
They’ll share insights into the compromises and challenges they faced in developing the app for multiple environments while ensuring they didn’t let their users down in the process.
Their presentation will be interactive, allowing the audience to be part of a choose your own adventure style journey that will explore the tools and processes they have discovered that help them be successful at speed.
Scaling Indexing and Replication in Jira Data Center AppsAtlassian
Building an app that scales well for Jira Data Center can be challenging, especially with regards to index replication.
Andriy Yakovlev, a Principal Premier Support Engineer at Atlassian will share some common problems customers have experienced with apps on large instances, and how to prevent them.
Attendees will learn about how indexing works in Jira, and how indexes are replicated in Jira Data Center, as well as what to look out for to prevent problems before they happen.
Leaning into Server to Cloud App MigrationAtlassian
Interest in Atlassian Cloud by Server (and Data Center) customers has been steadily increasing, propelled by new cloud capabilities like SAML authentication, SCIM provisioning, local data centers for performance, encryption at rest, guaranteed uptime, unlimited storage, and the ever-increasing availability of essential Marketplace apps.
To anticipate increasing demand, the time has come to develop a standard app migration framework that makes migrating app data from Server to Cloud feasible, intuitive, reliable, secure, and above all, self-serve.
In this talk, Chris Clarke will provide an overview of our emerging app data migration architecture, how it will integrate into our evolving Cloud Migration Assistants, and what we’d need from Marketplace vendors to make it work. App migration will be a key part of every customer’s migration journey and we will only be successful by working on it together.
Preparing for Data Residency and Custom DomainsAtlassian
Atlassian customers have long requested the ability to control where they host their content in Atlassian Cloud. They’ve also long desired the ability to configure their cloud products to be accessible via a custom domain. These features are coming soon to Jira and Confluence Cloud! What will this mean for Marketplace app developers?
Join Nuwan Ginige, Principal Product Manager on the Cloud Platform team, as he walks through how the evolution of Atlassian’s cloud platform has shaped the development of these capabilities. Learn how these changes will impact Marketplace apps, and how you can get involved in app vendor early access progress before general availability.
Spec-first API Design for Speed and SafetyAtlassian
Spec-first API design dramatically tightens and improves the development feedback loop without wasting effort on artifacts that can't be used.
The Jira Software team has used this approach very successfully to build APIs that we expose to both internal and external consumers.
In this session, James Navin will walk you through the spec-first approach and demonstrate the benefits that it brings. He will also highlight some tools that can be used to implement a spec-first development approach.
A realtime infrastructure for Android apps: Firebase may be what you need..an...Alessandro Martellucci
Growing up as Cloud Database, today supported by Google, it presents itself as a powerful platform for mobile and web applications.
These slides give you an overview and an introduction to the Firebase NoSQL database, how to integrate it into your Android app and how to put it into a realtime context!
This document provides an overview of Burr Sutter's 9 steps to getting awesome with Kubernetes. It begins with an introduction and outlines the steps which include installing Kubernetes, building container images, using kubectl commands, viewing logs, configuring environments, service discovery, rolling updates, and debugging databases. It also discusses options for installing Kubernetes like Minikube, managing Kubernetes manifests, building container images, and using operators. The document provides resources for learning more about each step and technology discussed.
Creating Your Own Server Add-on that Customizes Confluence or JIRAAtlassian
JIRA and Confluence are highly versatile products that just about any team can use. But what if your team has special use cases or needs? That's where customization comes in – and you can do it, using the Plugins 2 (P2) framework for our Server family of products. Join developer advocate Melissa Paisley to learn how to start. She'll cover key technologies, walk through a demo, and show you where to get further information. Thanks to P2, you can make JIRA and Confluence a perfect fit for your team.
Melissa Paisley, Developer Support, Atlassian
The document summarizes the author's experience with integrations at Alfresco. It discusses that the integrations team has grown and now works on projects like Google Docs v2, Jive Toolkit, Dropbox Connector, and Maven support. It describes some of the challenges faced with integrations like syncing between multiple sources and handling file changes and versions across systems. It provides details on the Google Docs v2 and Dropbox Connector integrations, including functionality, status, and future plans. It also discusses using Maven and the oAuth credentials service used by some integrations.
Integrating Jira Software Cloud With the AWS Code SuiteAtlassian
This document discusses integrating Jira Software Cloud with the AWS Code Suite. It covers using Atlassian Connect and Spring Boot to build a Jira app, deploying the necessary AWS infrastructure including ECS, CodePipeline, Lambda, and ECR, and using Lambda functions and triggers to integrate development workflows and send build data from AWS to Jira. The presentation provides an overview of the key AWS services and development tools used, sample code and configurations, and best practices for building and hosting containerized Jira apps on AWS.
Ten Battle-Tested Tips for Atlassian Connect Add-onsAtlassian
The document provides 10 tips for building battle-tested Atlassian Connect add-ons:
1. Automate deployments so they are a single button press.
2. Create rules for deploying to production to make it easy and safe.
3. Understand dependencies and implications of what is built and used.
4. Use other services where it makes sense to avoid reinventing the wheel.
5. Monitor components, servers, applications, users to know where failures happen.
6. Have recovery plans tested regularly to prepare for failures.
7. Handle failures by focusing on fixing issues with notifications and status updates.
8. Plan for traffic patterns to ensure scaling is possible when needed.
Atlassian Connect on Serverless Platforms: Low Cost Add-OnsAtlassian
Join Atlassian developer Patrick Streule to learn about a Java- and JavaScript-based framework that makes it easy for developers to create and deploy serverless add-ons, thanks to platforms like AWS Lambdas and DynamoDB. He'll cover the overall architecture of serverless add-ons, then explain how to manage security, deployments, and integrations with various AWS services and other modern serverless providers.
Patrick Streule, Architect, Atlassian
Google App Engine allows users to host web applications on Google's infrastructure without having to maintain servers or databases. It provides automatic scaling, free quotas for storage and bandwidth usage, and a simple deployment process. The document provides an overview of App Engine, including how to get started, the services it offers like Datastore and Memcache, and best practices for building scalable applications on the platform.
After a day of learning about the exciting features of Forge, get ready for a peek under the hood to discover how it’s all implemented. Join Forge Architect Patrick Streule as he goes deep on topics such as Forge FaaS infrastructure, the internal workings of tenant isolation, and automatic authentication.
Attendees will also get a glimpse of some features we’re looking at building into the future of Forge, such as a serverless data store for apps and more!
From AUI to Atlaskit - Streamlining Development for Server & Cloud AppsAtlassian
So, you have a Server App developed with Atlassian User Interface (AUI) and now want to know how to transition it to Atlaskit. Do you also want to move it to Cloud and re-use the UI without massive headaches?
Naiara Martin, of Comalatech, has been there, done that.
An Exploration of Cross-product App ExperiencesAtlassian
Atlassian has been building out the Teamwork platform, bringing cross-product experiences like the rich-text editor to all of our products. Extending the Teamwork platform presents a new opportunity for developers.
In this talk, we'll share more on what the Teamwork platform is, where is it available, and explore how we’re thinking app developers might extend the platform. Learn more about the future vision of building cross-product apps, consider what new opportunities it might present for your team, and give early feedback for how you’d like to see it evolve.
GraphQL APIs offer greater flexibility than traditional REST APIs and are particularly suited for mobile app development. Exposing a GraphQL API is also becoming an expected part of the API offering of many platforms. GraphQL APIs work differently to traditional REST APIs and also present some unique operational challenges.
In this session, Ben Morgan will get you ready to build and run a GraphQL API. The session is focussed on the design and operational side. We will cover the basics of GraphQL; design patterns for GraphQL; how to operate a GraphQL API; and take a look at available tooling.
Why write two add-ons when you can write one and deploy it to both Server and Cloud? Charles Gutjahr from ThinkTilt shares how they brought their Connect add-on to different clouds. Learn how he packaged the add-on in a Docker container to offer it behind the firewall. Hear about the implications for installation, data storage, security, and functionality. By the end of the talk, you'll be able to decide whether Dockerization is the right choice for your add-on.
Charles Gutjahr, Co-Founder and Technology Architect, ThinkTilt
Cloud Workflows What's new in serverless orchestration and automationMárton Kodok
understand how Cloud Workflows resolves challenges in connecting services, HTTP based service orchestration and automation. We are going to dive deep how serverless HTTP service automation works to automate step engines. Based on practical examples we will demonstrate the newest features that lets you automate the cloud and integration with any Google Cloud product without worrying about authentication
The document discusses new features and capabilities in Java EE 7 including support for WebSockets, JSON processing, batch applications, concurrency utilities, and a simplified JMS API. It highlights 10 top features in Java EE 7 and provides code examples for using new APIs like the WebSocket API and JSON processing API. The document promotes Java EE 7's focus on increased developer productivity and its ability to build next generation HTML5 applications and scale to demanding enterprise requirements.
The User Who Must Not be Named: GDPR and Your Jira AppAtlassian
The upcoming Jira Server’s user anonymization feature makes administrators lives easier, as it adds extensive in-product support for EU's right to be forgotten. At the same time, it has an immense impact on the majority of Marketplace apps and will break some of them.
Join Daniel Rauf, Software Engineer for Jira Server, to learn how to keep your app in a consistent state, explore newly added APIs allowing you to react to the anonymization and efficiently assess your implementations with end-to-end tests.
SpringOne Platform 2017
Phil Webb, Pivotal
"Spring Boot 2.0 introduces a host of new features and whole lot of behind the scenes changes. This talk will cover all the major improvements, show you how to migrate and Boot 1.5 application and discuss some of the smaller tweaks and utilities that you might not be aware of.
We'll also cover some of the changes we made to the Spring Boot internals, discuss why we made them, and how they will help with future releases."
Resilient and Adaptable Systems with Cloud Native APIsVMware Tanzu
SpringOne 2021
Session Title: Resilient and Adaptable Systems with Cloud Native APIs
Speakers: Olga Maciaszek-Sharma, Senior Member of Technical Staff at VMware; Spencer Gibb, Spring Cloud Core Lead at VMware
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
The document discusses modern application security issues related to APIs. It begins with an overview of common API security risks like SQL injection, XSS, and CSRF. It then focuses on how application security has changed with the transition to modern architectures that are API-focused, use cloud infrastructure, and follow DevOps practices. Key changes discussed include less abstraction layers, clients handling more responsibility, and APIs exposing more data and endpoints directly. The document also summarizes the OWASP API security project and proposed API security top 10 risks. Real attack examples are provided to illustrate broken authorization and authentication vulnerabilities.
30-45-min tech talk given at user groups or technical conferences to introducing developers to integrating with Google APIs from Python .
ABSTRACT
Want to integrate Google technologies into the web+mobile apps that you build? Google has various open source libraries & developer tools that help you do exactly that. Users who have run into roadblocks like authentication or found our APIs confusing/challenging, are welcome to come and make these non-issues moving forward. Learn how to leverage the power of Google technologies in the next apps you build!!
A realtime infrastructure for Android apps: Firebase may be what you need..an...Alessandro Martellucci
Growing up as Cloud Database, today supported by Google, it presents itself as a powerful platform for mobile and web applications.
These slides give you an overview and an introduction to the Firebase NoSQL database, how to integrate it into your Android app and how to put it into a realtime context!
This document provides an overview of Burr Sutter's 9 steps to getting awesome with Kubernetes. It begins with an introduction and outlines the steps which include installing Kubernetes, building container images, using kubectl commands, viewing logs, configuring environments, service discovery, rolling updates, and debugging databases. It also discusses options for installing Kubernetes like Minikube, managing Kubernetes manifests, building container images, and using operators. The document provides resources for learning more about each step and technology discussed.
Creating Your Own Server Add-on that Customizes Confluence or JIRAAtlassian
JIRA and Confluence are highly versatile products that just about any team can use. But what if your team has special use cases or needs? That's where customization comes in – and you can do it, using the Plugins 2 (P2) framework for our Server family of products. Join developer advocate Melissa Paisley to learn how to start. She'll cover key technologies, walk through a demo, and show you where to get further information. Thanks to P2, you can make JIRA and Confluence a perfect fit for your team.
Melissa Paisley, Developer Support, Atlassian
The document summarizes the author's experience with integrations at Alfresco. It discusses that the integrations team has grown and now works on projects like Google Docs v2, Jive Toolkit, Dropbox Connector, and Maven support. It describes some of the challenges faced with integrations like syncing between multiple sources and handling file changes and versions across systems. It provides details on the Google Docs v2 and Dropbox Connector integrations, including functionality, status, and future plans. It also discusses using Maven and the oAuth credentials service used by some integrations.
Integrating Jira Software Cloud With the AWS Code SuiteAtlassian
This document discusses integrating Jira Software Cloud with the AWS Code Suite. It covers using Atlassian Connect and Spring Boot to build a Jira app, deploying the necessary AWS infrastructure including ECS, CodePipeline, Lambda, and ECR, and using Lambda functions and triggers to integrate development workflows and send build data from AWS to Jira. The presentation provides an overview of the key AWS services and development tools used, sample code and configurations, and best practices for building and hosting containerized Jira apps on AWS.
Ten Battle-Tested Tips for Atlassian Connect Add-onsAtlassian
The document provides 10 tips for building battle-tested Atlassian Connect add-ons:
1. Automate deployments so they are a single button press.
2. Create rules for deploying to production to make it easy and safe.
3. Understand dependencies and implications of what is built and used.
4. Use other services where it makes sense to avoid reinventing the wheel.
5. Monitor components, servers, applications, users to know where failures happen.
6. Have recovery plans tested regularly to prepare for failures.
7. Handle failures by focusing on fixing issues with notifications and status updates.
8. Plan for traffic patterns to ensure scaling is possible when needed.
Atlassian Connect on Serverless Platforms: Low Cost Add-OnsAtlassian
Join Atlassian developer Patrick Streule to learn about a Java- and JavaScript-based framework that makes it easy for developers to create and deploy serverless add-ons, thanks to platforms like AWS Lambdas and DynamoDB. He'll cover the overall architecture of serverless add-ons, then explain how to manage security, deployments, and integrations with various AWS services and other modern serverless providers.
Patrick Streule, Architect, Atlassian
Google App Engine allows users to host web applications on Google's infrastructure without having to maintain servers or databases. It provides automatic scaling, free quotas for storage and bandwidth usage, and a simple deployment process. The document provides an overview of App Engine, including how to get started, the services it offers like Datastore and Memcache, and best practices for building scalable applications on the platform.
After a day of learning about the exciting features of Forge, get ready for a peek under the hood to discover how it’s all implemented. Join Forge Architect Patrick Streule as he goes deep on topics such as Forge FaaS infrastructure, the internal workings of tenant isolation, and automatic authentication.
Attendees will also get a glimpse of some features we’re looking at building into the future of Forge, such as a serverless data store for apps and more!
From AUI to Atlaskit - Streamlining Development for Server & Cloud AppsAtlassian
So, you have a Server App developed with Atlassian User Interface (AUI) and now want to know how to transition it to Atlaskit. Do you also want to move it to Cloud and re-use the UI without massive headaches?
Naiara Martin, of Comalatech, has been there, done that.
An Exploration of Cross-product App ExperiencesAtlassian
Atlassian has been building out the Teamwork platform, bringing cross-product experiences like the rich-text editor to all of our products. Extending the Teamwork platform presents a new opportunity for developers.
In this talk, we'll share more on what the Teamwork platform is, where is it available, and explore how we’re thinking app developers might extend the platform. Learn more about the future vision of building cross-product apps, consider what new opportunities it might present for your team, and give early feedback for how you’d like to see it evolve.
GraphQL APIs offer greater flexibility than traditional REST APIs and are particularly suited for mobile app development. Exposing a GraphQL API is also becoming an expected part of the API offering of many platforms. GraphQL APIs work differently to traditional REST APIs and also present some unique operational challenges.
In this session, Ben Morgan will get you ready to build and run a GraphQL API. The session is focussed on the design and operational side. We will cover the basics of GraphQL; design patterns for GraphQL; how to operate a GraphQL API; and take a look at available tooling.
Why write two add-ons when you can write one and deploy it to both Server and Cloud? Charles Gutjahr from ThinkTilt shares how they brought their Connect add-on to different clouds. Learn how he packaged the add-on in a Docker container to offer it behind the firewall. Hear about the implications for installation, data storage, security, and functionality. By the end of the talk, you'll be able to decide whether Dockerization is the right choice for your add-on.
Charles Gutjahr, Co-Founder and Technology Architect, ThinkTilt
Cloud Workflows What's new in serverless orchestration and automationMárton Kodok
understand how Cloud Workflows resolves challenges in connecting services, HTTP based service orchestration and automation. We are going to dive deep how serverless HTTP service automation works to automate step engines. Based on practical examples we will demonstrate the newest features that lets you automate the cloud and integration with any Google Cloud product without worrying about authentication
The document discusses new features and capabilities in Java EE 7 including support for WebSockets, JSON processing, batch applications, concurrency utilities, and a simplified JMS API. It highlights 10 top features in Java EE 7 and provides code examples for using new APIs like the WebSocket API and JSON processing API. The document promotes Java EE 7's focus on increased developer productivity and its ability to build next generation HTML5 applications and scale to demanding enterprise requirements.
The User Who Must Not be Named: GDPR and Your Jira AppAtlassian
The upcoming Jira Server’s user anonymization feature makes administrators lives easier, as it adds extensive in-product support for EU's right to be forgotten. At the same time, it has an immense impact on the majority of Marketplace apps and will break some of them.
Join Daniel Rauf, Software Engineer for Jira Server, to learn how to keep your app in a consistent state, explore newly added APIs allowing you to react to the anonymization and efficiently assess your implementations with end-to-end tests.
SpringOne Platform 2017
Phil Webb, Pivotal
"Spring Boot 2.0 introduces a host of new features and whole lot of behind the scenes changes. This talk will cover all the major improvements, show you how to migrate and Boot 1.5 application and discuss some of the smaller tweaks and utilities that you might not be aware of.
We'll also cover some of the changes we made to the Spring Boot internals, discuss why we made them, and how they will help with future releases."
Resilient and Adaptable Systems with Cloud Native APIsVMware Tanzu
SpringOne 2021
Session Title: Resilient and Adaptable Systems with Cloud Native APIs
Speakers: Olga Maciaszek-Sharma, Senior Member of Technical Staff at VMware; Spencer Gibb, Spring Cloud Core Lead at VMware
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
The document discusses modern application security issues related to APIs. It begins with an overview of common API security risks like SQL injection, XSS, and CSRF. It then focuses on how application security has changed with the transition to modern architectures that are API-focused, use cloud infrastructure, and follow DevOps practices. Key changes discussed include less abstraction layers, clients handling more responsibility, and APIs exposing more data and endpoints directly. The document also summarizes the OWASP API security project and proposed API security top 10 risks. Real attack examples are provided to illustrate broken authorization and authentication vulnerabilities.
30-45-min tech talk given at user groups or technical conferences to introducing developers to integrating with Google APIs from Python .
ABSTRACT
Want to integrate Google technologies into the web+mobile apps that you build? Google has various open source libraries & developer tools that help you do exactly that. Users who have run into roadblocks like authentication or found our APIs confusing/challenging, are welcome to come and make these non-issues moving forward. Learn how to leverage the power of Google technologies in the next apps you build!!
Discover how to build APIs using the Apigee API Services toolkit. Deep dive into Apigee's API Serives solution, API design and management technology including OAuth and security, persistence & caching, Node.js and more.
The journey of Moving from AWS ELK to GCP Data PipelineRandy Huang
This is a real case from VMfive to shifting ELK architecture from AWS. Currently GCP Data Pipeline provide us more efficiency and stable environment for running our service.
Creating a World-Class RESTful Web Services APIDavid Keener
Companies like Amazon, Google and Yahoo have published web services API's that empower developers to create mash-ups, add-ons and full-scale applications. The creation of such API's, however, is not exclusively the domain of large, multi-national corporations. Learn how to architect, build and field a well-designed and scalable RESTful web services API that will allow your business to leverage the capabilities of the developer community. This presentation includes real-life examples from the Grab Networks RESTful API, which provides access to information about the hundreds of thousands of news videos available through Grab Networks' distribution network.
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...Jonathan Barton
Creating flexible, resilient access to real-time sensor data can be challenging – especially when your device targets can literally disappear off the face of the Earth! See how groups of students and instructors are using the goMake API to talk with high-altitude balloon telemetry as it skirts the edge of the stratosphere, and the design considerations involved in making this a scalable platform for project-based STEM learning that aims to instill a sense of wonder.
Gimel is a data abstraction framework built on Apache Spark - providing unified Data Access via API & SQL to different technologies such as kafka, elastic, HBASE, Rest API, File, Object stores, Relational , etc.
We spoke about this recently in the "cloud track" in the "Scale By The Bay" Conference.
https://www.scale.bythebay.io/schedule
https://sched.co/e55D
Youtube - https://www.youtube.com/watch?v=cy8g2WZbEBI&ab_channel=FunctionalTV
https://youtu.be/m6_0iI4XDpU
Build an AI/ML-driven image archive processing workflow: Image archive, analy...wesley chun
Google provides a diverse array of services to realize the ambition of solving real business problems, like constrained resources. An image archive & analysis plus report generation use-case can be realized with just GWS (Google Workspace) & GCP (Google Cloud) APIs. The principle of mixing-and-matching Google technologies is applicable to many other challenges faced by you, your organization, or your customers. These slides are from the half-hour presentation about this case study.
Gimel at Dataworks Summit San Jose 2018Romit Mehta
Gimel is PayPal's data platform that provides a unified interface for accessing and analyzing data across different data stores and processing engines. The presentation provides an overview of Gimel, including PayPal's analytics ecosystem, the challenges Gimel addresses around data access and application lifecycle, and a demo of how Gimel simplifies a flights cancelled use case. It also discusses Gimel's open source journey and integration with ecosystems like Spark and Jupyter notebooks.
Gimel Data Platform is an analytics platform developed by PayPal that aims to simplify data access and analysis. The presentation provides an overview of Gimel, including PayPal's analytics ecosystem, the challenges Gimel addresses in data access and application lifecycle management, a demo of a sample flights cancelled use case using Gimel, and PayPal's plans to open source Gimel.
Walls Within Walls: What if your attacker knows parkour?Greg Castle
What happens if an attacker escapes a container and compromises your node? Is it game over for the whole cluster, or can you limit the blast radius? Whether it be for defense in depth or multi-tenancy, it is important to understand the security boundaries in your cluster. In this talk, we’ll discuss various isolation approaches and evaluate them through the eyes of an attacker who has compromised a node and is looking to propagate.
We’ll deep dive on ‘node isolation’: using Kubernetes scheduling to execute workloads on separate nodes, and demonstrate live attacks and defences to educate about strengths and weaknesses of this strategy. We’ll also discuss progress made by SIG-Auth in this area over the past few releases. After this talk you will understand when node isolation is or isn't an appropriate security mechanism, the steps to implement it, and what some alternatives are.
The Powerful and Comprehensive API for Mobile App Development and TestingBitbar
Watch a live presentation at http://offer.bitbar.com/the-powerful-and-comprehensive-api-for-mobile-app-development-and-testing
Testdroid provides a very powerful and useful API for its users to manage all aspects of mobile development and testing automatically. This powerful API caters your needs to instantly access our device farm, manage your projects, your test runs and results, plus many other things that will make your mobile app, game and web testing smoother, faster and less stressful on real Android and iOS devices.
Stay tuned and join our upcoming webinars at http://bitbar.com/testing/webinars/
What's new in App Engine and intro to App Engine for BusinessChris Schalk
This is a presentation given by Devfest Madrid 2010 by Google Developer Advocate Chris Schalk on "What's new in Google App Engine and Intro to App Engine for Business"
Getting Started with API Management – Why It's Needed On-prem and in the CloudRevelation Technologies
APIs are one of the main elements of cloud services. All major cloud service providers expose REST APIs to allow you to programmatically access their services and capabilities. SOAP and REST are the two most common ways of exposing APIs, whether to external, partner, cloud, or internal developers.
The concept of API management is to publish these web APIs for consumption, and includes capabilities such as monitoring, security, and documentation.
This presentation introduces basic concepts of APIs, API management, cloud REST services, and a brief walkthrough of WSO2 API Manager and Oracle API Gateway to see how you can centrally publish, expose, and secure APIs, essentially virtualizing your backend services.
Google App Engine for Java allows developers to build and deploy web applications without managing servers. It provides services for web apps, data storage, authentication, email, and tasks. While it supports many features, it currently lacks support for custom domains on some services, long-running background processes, streaming, and FTP access. The free account has quotas that refresh daily, including a 10MB app size limit and 3000 file limit per app. The document then demonstrates the App Engine dashboard and tools for viewing apps, datastore, and deploying a Java WAR file.
Google Cloud Computing for Java Developers: Platform and Monetization was a presentation given by Chris Schalk at TheEdge 2010 conference in Tel Aviv, Israel on December 16, 2010. The presentation introduced Google App Engine and other Google cloud technologies, discussed monetizing applications, and provided an overview of the Google Prediction API and BigQuery.
Similar to Kubecon USA 2018: Shopify's $25k bug report and the cluster takeover that didn't happen (20)
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
How to make a complaint to the police for Social Media Fraud.pdf
Kubecon USA 2018: Shopify's $25k bug report and the cluster takeover that didn't happen
1. Shopify’s $25K
Bug Report
and the cluster takeover
that didn’t happen
Shane Lawrence
Security Infrastructure Engineer
Twitter: @shaneplawrence
Github: @shane-lawrence
Shopify
Greg Castle
GKE Security Tech Lead
Twitter: @mrgcastle
Github: @destijl
Google
North America 2018
2. A production security story
Introduction Bug report Detection TakeawaysExchange Attack & defense
8. Security report and responses
7:39pm
Report (goo.gl/dqynDa)
from André Baptista
(0xacb): vuln in
Exchange app
7:50pm
Incident declared
8:00pm
Cloudsec and app dev
teams contacted
8:43pm
Merged commit to
disable vulnerable
feature
9:27pm
Investigation and
cleanup started
(rotate credentials,
contact Google,
investigate logs)
1 hour
10. Image of
page
Request
screenshot
Request storefront
What is
Exchange?
Marketplace for buying
& selling stores
Webpage
3. Test store
Test store frontpage
2. Screenshot service
Headless browser
1. Exchange app
Create listing
Screenshots
14. Attack:
Weaponize SSRF
Existing workflow
Image of
page
Request
screenshot
Request storefront
2. Screenshot service
Headless browser
1. Exchange app
Create listing
Screenshots
Webpage
4. Metadata service
3. Test store
Test store frontpage
15. Webpage
4. Metadata service
1. Exchange app
Create listing
Screenshots
Request
screenshot
Request storefront
3. Test store
Exploit page
2. Screenshot service
Headless browser
Attack:
Weaponize SSRF
Got token for the VM’s Google
service account
16. Request token
4. Metadata server
Default SA token
v1
Attack:
Weaponize SSRF
Got token for the VM’s Google
service account
1. Exchange app
Create listing
Screenshots
Webpage
Request storefront
3. Test store
Exploit page
2. Screenshot service
Headless browser
Request
screenshot
17. Sidebar: What is this Google SA?
Node (VM)
Metadata server
Service
account
Pod
Token
Token
Google
APIs
19. 403: header
required
4. Metadata server
Default SA token
v1
1. Exchange app
Create listing
Screenshots
Defense:
Require header
Metadata server requires header:
Metadata-Flavor: Google
Webpage
Request storefront
3. Test store
Exploit page
Request
screenshot
2. Screenshot service
Headless browser
20. Token
4. Metadata server
Default SA token
v1
v1beta1
1. Exchange app
Create listing
Screenshots
Attack: Use old
API version
Beta API: no request
header required :(
Webpage
Request storefront
3. Test store
Exploit page
Request
screenshot
2. Screenshot service
Headless browser
Image of
token
21. Defense: Disable old API versions
• Beta API known issue: APIs still in use
• Disabled by default in new 1.12+ clusters
• Opt-in now: “disable-legacy-endpoints=true”
• goo.gl/JsdJbL for details
22. Defense: Least priv on token
• Default SA least privilege from 1.10+
• May vary if users have granted extra privs
• Shopify had minimal privs for log/mon/debug
• Token not useful to researcher
23. 5. Metadata server
Default SA token
v1
v1beta1
kube-env
Request
screenshot
Request storefront
Webpage
2. Screenshot service
Headless browser
kube-env
1. Exchange app
Create listing
Screenshots
Attack: What
other metadata?
Metadata server = trust
bootstrap for nodes
Export static key from
“kube-env”
Image of
kube-env
3. Test store
Exploit page
40. Lessons learned: K8s advice
• Follow cloud provider hardening advice (GKE: g.co/gke/hardening)
• Block off/filter access to any privileged network endpoints
• Run RBAC and Node Authorization (GKE default)
• Apply least privilege for K8s service accounts
• Audit role bindings, especially upgraded clusters
• Collect API logs and have them available to query (GKE default)
41. Links and references
Shopify bug bounty: hackerone.com/shopify
Bug report details: goo.gl/dqynDa
GKE disable old APIs: goo.gl/JsdJbL
GKE metadata conceal: goo.gl/u6rrMT
K8s API audit logs: goo.gl/d8YebH
GKE logging: g.co/gke/auditlogging
Shane Lawrence
Security Infrastructure Engineer
Twitter: @shaneplawrence
Github: @shane-lawrence
Shopify
Greg Castle
GKE Security Tech Lead
Twitter: @mrgcastle
Github: @destijl
Google
44. Example log queries
• Broad strokes to get you started
• No standard language for queries like this
• SQL seems most standard
• But includes some BigQuery-isms for unpacking repeated fields
• Validation/tweaking on production clusters needed
• Mostly intended to point out interesting values and fields
45. RBAC Changes (excl system)
SELECT
timestamp,
protopayload_auditlog.methodName AS method,
protopayload_auditlog.resourceName AS resource,
protopayload_auditlog.authenticationInfo.principalEmail AS suid,
authzinfo.granted AS granted,
protopayload_auditlog.requestMetadata.callerIp AS saddr
FROM
`gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`,
UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo
WHERE
protopayload_auditlog.methodName LIKE " io.k8s.authorization.rbac.v1%"
AND NOT protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:%"
LIMIT 100
Similarly, use these methodName strings for specific changes to roles or bindings:
“io.k8s.authorization.rbac.v1.roles.%”
“io.k8s.authorization.rbac.v1.rolebindings.%”
“io.k8s.authorization.rbac.v1.clusterroles.%”
“io.k8s.authorization.rbac.v1.clusterrolebindings.%”
46. Creating CSRs via K8s API
SELECT
timestamp,
protopayload_auditlog.methodName AS method,
protopayload_auditlog.resourceName AS resource,
protopayload_auditlog.authenticationInfo.principalEmail AS suid,
authzinfo.granted AS granted,
protopayload_auditlog.requestMetadata.callerIp AS saddr
FROM
`gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`,
UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo
WHERE
protoPayload_auditlog.resourceName LIKE
"certificates.k8s.io/v1beta1/certificatesigningrequests%"
LIMIT 100
47. Unauth’d web requests
SELECT
timestamp,
protopayload_auditlog.methodName AS method,
protopayload_auditlog.resourceName AS resource,
protopayload_auditlog.authenticationInfo.principalEmail AS suid,
authzinfo.granted AS granted,
protopayload_auditlog.requestMetadata.callerIp AS saddr
FROM
`gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`,
UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo
WHERE
protopayload_auditlog.authenticationInfo.principalEmail = " system:anonymous"
LIMIT 100
48. Kubelet bootstrap identity calls
(GKE specific)
SELECT
timestamp,
protopayload_auditlog.methodName AS method,
protopayload_auditlog.resourceName AS resource,
protopayload_auditlog.authenticationInfo.principalEmail AS suid,
authzinfo.granted AS granted,
protopayload_auditlog.requestMetadata.callerIp AS saddr
FROM
`gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`,
UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo
WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " kubelet"
LIMIT 100
49. Node authenticated requests
SELECT
timestamp,
protopayload_auditlog.methodName AS method,
protopayload_auditlog.resourceName AS resource,
protopayload_auditlog.authenticationInfo.principalEmail AS suid,
authzinfo.granted AS granted,
protopayload_auditlog.requestMetadata.callerIp AS saddr
FROM
`gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`,
UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo
WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:node%"
LIMIT 100
50. Calls outside IP range
SELECT
timestamp,
protopayload_auditlog.methodName AS method,
protopayload_auditlog.resourceName AS resource,
protopayload_auditlog.authenticationInfo.principalEmail AS suid,
authzinfo.granted AS granted,
protopayload_auditlog.requestMetadata.callerIp AS saddr
FROM
`gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`,
UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo
WHERE
NOT protopayload_auditlog.requestMetadata. callerIp="127.0.0.1"
AND NOT protopayload_auditlog.requestMetadata. callerIp="::1"
AND protopayload_auditlog.requestMetadata. callerIp NOT LIKE "8.8%"
LIMIT 100