This document summarizes a presentation on writing secure Drupal code. The presenter, Tatar Balazs Janos, has worked with Drupal since 2007 and is active in the Drupal security community. The presentation covers trends in security vulnerabilities like cross-site scripting and SQL injection, demonstrates how to avoid vulnerabilities in code, and includes interactive exercises to test attendees' knowledge of secure coding best practices in Drupal.
The document is a presentation by Tatar Balazs Janos on writing secure Drupal code. It provides an overview of the presenter's background and experience with Drupal security. The presentation covers trends in security, types of vulnerabilities like cross-site scripting and SQL injection, and techniques for protecting against vulnerabilities such as input filtering, automated testing, and access control. It includes code examples and opportunities for audience participation through a bingo game.
This document summarizes a presentation about writing secure Drupal code. It discusses common vulnerabilities like cross-site scripting, access bypass, and SQL injection. It provides examples of secure and vulnerable code and recommends best practices to prevent vulnerabilities, including input filtering, access control, and automated testing. It also discusses security improvements in Drupal 8 and learning from security advisories.
The document discusses connecting to and interacting with MySQL databases from PHP. It provides examples of creating a database and table, inserting data, and retrieving data using the mysql and mysqli extensions. Key points covered include connecting to the database, executing queries, and fetching rows of data using functions like mysql_query(), mysql_fetch_array(), and mysqli->query().
This document summarizes a presentation about securing WordPress sites. It discusses common attacks like SQL injection, cross-site scripting, and cross-site request forgery. It provides tips for preventing these attacks through input validation, sanitization, escaping output, and using nonces. The presentation also covers general WordPress security best practices like backups, updates, file permissions, strong credentials, and the principle of least privilege.
This document discusses securing PHP applications. It covers best practices for securing input data, preventing vulnerabilities like SQL injection and cross-site scripting (XSS), and properly validating all user input. It also provides recommendations for secure file permissions, error handling, and hiding sensitive configuration details.
The document is a presentation by Tatar Balazs Janos on writing secure Drupal code. It provides an overview of the presenter's background and experience with Drupal security. The presentation covers trends in security, types of vulnerabilities like cross-site scripting and SQL injection, and techniques for protecting against vulnerabilities such as input filtering, automated testing, and access control. It includes code examples and opportunities for audience participation through a bingo game.
This document summarizes a presentation about writing secure Drupal code. It discusses common vulnerabilities like cross-site scripting, access bypass, and SQL injection. It provides examples of secure and vulnerable code and recommends best practices to prevent vulnerabilities, including input filtering, access control, and automated testing. It also discusses security improvements in Drupal 8 and learning from security advisories.
The document discusses connecting to and interacting with MySQL databases from PHP. It provides examples of creating a database and table, inserting data, and retrieving data using the mysql and mysqli extensions. Key points covered include connecting to the database, executing queries, and fetching rows of data using functions like mysql_query(), mysql_fetch_array(), and mysqli->query().
This document summarizes a presentation about securing WordPress sites. It discusses common attacks like SQL injection, cross-site scripting, and cross-site request forgery. It provides tips for preventing these attacks through input validation, sanitization, escaping output, and using nonces. The presentation also covers general WordPress security best practices like backups, updates, file permissions, strong credentials, and the principle of least privilege.
This document discusses securing PHP applications. It covers best practices for securing input data, preventing vulnerabilities like SQL injection and cross-site scripting (XSS), and properly validating all user input. It also provides recommendations for secure file permissions, error handling, and hiding sensitive configuration details.
Full-Text Search Explained - Philipp Krenn - Codemotion Rome 2017Codemotion
Today’s applications are expected to provide powerful full-text search. But how does that work in general and how do I implement it on my site or in my application? Actually, this is not as hard as it sounds at first. This talk covers: * How full-text search works in general and what the differences to databases are. * How the score or quality of a search result is calculated. * How to implement this with Elasticsearch. Attendees will learn how to add common search patterns to their applications without breaking a sweat.
The document discusses static code analysis tools and their ability to find security vulnerabilities. It notes that while tools can find some issues, they lack context and have many false positives. Advanced static analysis requires modeling the program flow and variable states, but fully capturing semantics is difficult. Overall, static tools are better for finding simple issues but struggle with deeper design flaws. Manual review is still needed to find many vulnerabilities.
This document describes MyShell, an interactive PHP script that allows execution of commands on a server. It includes configuration options like authentication, allowed directories, error handling and output formatting. The script generates an HTML interface with a text area to view command output. Users can navigate directories, enter commands and view results within permissions set by the administrator.
The document discusses various ways that the WordPress REST API can be used to integrate WordPress with third party services and build single page applications. It provides code examples for using the REST API to retrieve posts for an external application, create a custom JSON endpoint, synchronize data between live and beta sites, integrate with a third party service using webhooks, and build a single page application frontend with React components.
Ant is a Java-based build tool that is platform independent like Make but without its limitations. It uses XML configuration files and tasks run by Java objects to define projects and targets. Projects contain attributes and targets which contain tasks. Common tasks include compiling code and copying files. Properties are used to reference variables within the XML file. Ant is easy to use, extensible, standardized, and open source.
PHP has its own treasure chest of classic mistakes that surprises even the most seasoned expert: code that dies just by changing its namespace, strpos() that fails to find strings or arrays that changes without touching them. Do that get on your nerves too? Let's make a list of them, so we can always teach them to the new guys, spot them during code reviews and kick them out of our code once and for all. Come on, you're not frightening us!
The document provides an introduction to the Django web framework, covering topics such as installing Django, creating projects and apps, defining models, using the admin interface, and basic views, URLs, and templates. It includes code examples for creating models, interacting with the database in the Python shell, registering models with the admin, and defining URLconfs and views. The training aims to help developers learn the fundamentals of building applications with Django.
“Use the right tool for the right job” is one of the first thing they teach you when you start out in these waters. I would make “Get to really know your tools” a second.
In this talk we’re going to work on the architecture of an app that showcases some common features/scenarios we all probably already have in the apps we’re working on: counters, leaderboards, queuing, timelines, caching. But this time we’ll implement them with Redis, making the apps much faster, your hardware (and you) much cooler, your boss (and the clients) much happier and hopefully your salary a bit higher.
Example-driven Web API Specification DiscoveryJavier Canovas
Slides of my presentation at European Conference on Modelling Foundations and Applications (ECMFA'17). To be presented during the session on Thursday 16:00-17:30
This document introduces Assetic, an asset management library for PHP. It allows developers to easily optimize frontend assets like CSS, JS, images and more. Key features include asset collections to merge files, filters to minify and compile code, and caching of optimized assets for improved performance. Assetic aims to make integrating common asset optimization tools like Sass, CoffeeScript, and YUI Compressor cleaner and more intuitive.
Get Started with RabbitMQ (CoderCruise 2017)James Titcumb
This document contains a presentation on RabbitMQ and message queues. It discusses message queues and exchanges like fanout, direct, and topic exchanges. It covers installing and using RabbitMQ with PHP including examples of producers and consumers. It also discusses more advanced topics like scaling with background jobs, acknowledgements, RPC, TTL, DLX, priorities, and infrastructure with clustering and high availability.
Dip Your Toes in the Sea of Security (CoderCruise 2017)James Titcumb
Security is an enormous topic, and it’s really complicated. If you’re not careful, you’ll find yourself vulnerable to any number of attacks which you don’t want to be on the receiving end of. This talk will give you a taste of the vast array of things there is to know about security in modern web applications. Whether you are writing anything beyond a basic website, or even a complex web application, this talk will give you insights to some of the things you need to be aware of.
Schemaless Solr allows documents to be indexed without pre-configuring fields in the schema. As documents are indexed, previously unknown fields are automatically added to the schema with inferred field types. This is implemented using Solr's managed schema, field value class guessing to infer types, and automatic schema field addition. The schema and newly added fields can be accessed via the Schema REST API, and the schema can be modified at runtime when configured as mutable. However, schemaless mode has limitations such as single field analyses and no way to change field types after initial inference.
The document discusses various PHP wrappers that can be used to read and write data in non-standard ways and bypass security restrictions. It describes how wrappers like php://filter, zip://, and data:// can be used to read and write local files, modify file contents, bypass authentication, and perform XXE attacks. It also notes that filters in the php://filter wrapper can be used to selectively remove parts of file contents during I/O operations.
This document provides an overview of PHP and MySQL:
- PHP code is embedded into web pages and used to generate dynamic HTML content. It interacts with databases using MySQL.
- PHP supports variables, arrays, control structures, functions and object-oriented programming. Version 5 added improved OOP support.
- Templates can be used to separate application logic from user interface code for improved maintenance. Common techniques include using templates to modularize content.
PHP 5.3 introduced many new features and improvements including:
- Performance improvements with up to 40% faster speeds on Windows and 5-15% overall.
- New error reporting levels, garbage collection, and the MySQLnd native driver.
- Backwards compatibility changes like deprecated EREG functions and magic methods requirements.
- Namespaces, late static bindings, closures/lambdas, the __callStatic magic method, and get_called_class().
- Additions to the SPL like new iterators, the date/time object, and new constants like __DIR__ and __NAMESPACE__.
BioPerl is an open source collection of Perl modules for bioinformatics. It contains over 550 modules covering tasks like sequence analysis, multiple sequence alignment, and working with common file formats. The modules provide reusable subroutines and methods to parse data, access databases, and perform other common bioinformatics operations. BioPerl code is portable and can be easily incorporated into scripts and programs. The modules are organized into groups and adhere to object-oriented principles in Perl, with classes, methods, and object blessed references.
Code Obfuscation, PHP shells & more
What hackers do once they get passed your code - and how you can detect & fix it.
Content:
- What happens when I get hacked?
- What's code obfuscation?
- What are PHP shells?
- Show me some clever hacks!
- Prevention
- Post-hack cleanup
What is this not about:
- How can I hack a website?
- How can I DoS a website?
- How can I find my insecure code?
The document summarizes a presentation on writing secure Drupal code. It introduces the presenter Tatar Balazs Janos and his experience with Drupal. It then covers common types of vulnerabilities like cross-site scripting, access bypass, SQL injection and how to prevent them. Examples of vulnerable code are provided and improved upon. Best practices discussed include using database queries, input filtering, automated testing and restricting permissions.
This document summarizes a presentation on writing secure Drupal code. It discusses common vulnerabilities like cross-site scripting, access bypass, and SQL injection. It demonstrates how to securely code against these vulnerabilities and recommends using tools like Behat tests, security advisories, and contributing to Drupal to improve security. The presentation encourages writing secure code through sanitizing user input, using database placeholders, and following best practices.
Full-Text Search Explained - Philipp Krenn - Codemotion Rome 2017Codemotion
Today’s applications are expected to provide powerful full-text search. But how does that work in general and how do I implement it on my site or in my application? Actually, this is not as hard as it sounds at first. This talk covers: * How full-text search works in general and what the differences to databases are. * How the score or quality of a search result is calculated. * How to implement this with Elasticsearch. Attendees will learn how to add common search patterns to their applications without breaking a sweat.
The document discusses static code analysis tools and their ability to find security vulnerabilities. It notes that while tools can find some issues, they lack context and have many false positives. Advanced static analysis requires modeling the program flow and variable states, but fully capturing semantics is difficult. Overall, static tools are better for finding simple issues but struggle with deeper design flaws. Manual review is still needed to find many vulnerabilities.
This document describes MyShell, an interactive PHP script that allows execution of commands on a server. It includes configuration options like authentication, allowed directories, error handling and output formatting. The script generates an HTML interface with a text area to view command output. Users can navigate directories, enter commands and view results within permissions set by the administrator.
The document discusses various ways that the WordPress REST API can be used to integrate WordPress with third party services and build single page applications. It provides code examples for using the REST API to retrieve posts for an external application, create a custom JSON endpoint, synchronize data between live and beta sites, integrate with a third party service using webhooks, and build a single page application frontend with React components.
Ant is a Java-based build tool that is platform independent like Make but without its limitations. It uses XML configuration files and tasks run by Java objects to define projects and targets. Projects contain attributes and targets which contain tasks. Common tasks include compiling code and copying files. Properties are used to reference variables within the XML file. Ant is easy to use, extensible, standardized, and open source.
PHP has its own treasure chest of classic mistakes that surprises even the most seasoned expert: code that dies just by changing its namespace, strpos() that fails to find strings or arrays that changes without touching them. Do that get on your nerves too? Let's make a list of them, so we can always teach them to the new guys, spot them during code reviews and kick them out of our code once and for all. Come on, you're not frightening us!
The document provides an introduction to the Django web framework, covering topics such as installing Django, creating projects and apps, defining models, using the admin interface, and basic views, URLs, and templates. It includes code examples for creating models, interacting with the database in the Python shell, registering models with the admin, and defining URLconfs and views. The training aims to help developers learn the fundamentals of building applications with Django.
“Use the right tool for the right job” is one of the first thing they teach you when you start out in these waters. I would make “Get to really know your tools” a second.
In this talk we’re going to work on the architecture of an app that showcases some common features/scenarios we all probably already have in the apps we’re working on: counters, leaderboards, queuing, timelines, caching. But this time we’ll implement them with Redis, making the apps much faster, your hardware (and you) much cooler, your boss (and the clients) much happier and hopefully your salary a bit higher.
Example-driven Web API Specification DiscoveryJavier Canovas
Slides of my presentation at European Conference on Modelling Foundations and Applications (ECMFA'17). To be presented during the session on Thursday 16:00-17:30
This document introduces Assetic, an asset management library for PHP. It allows developers to easily optimize frontend assets like CSS, JS, images and more. Key features include asset collections to merge files, filters to minify and compile code, and caching of optimized assets for improved performance. Assetic aims to make integrating common asset optimization tools like Sass, CoffeeScript, and YUI Compressor cleaner and more intuitive.
Get Started with RabbitMQ (CoderCruise 2017)James Titcumb
This document contains a presentation on RabbitMQ and message queues. It discusses message queues and exchanges like fanout, direct, and topic exchanges. It covers installing and using RabbitMQ with PHP including examples of producers and consumers. It also discusses more advanced topics like scaling with background jobs, acknowledgements, RPC, TTL, DLX, priorities, and infrastructure with clustering and high availability.
Dip Your Toes in the Sea of Security (CoderCruise 2017)James Titcumb
Security is an enormous topic, and it’s really complicated. If you’re not careful, you’ll find yourself vulnerable to any number of attacks which you don’t want to be on the receiving end of. This talk will give you a taste of the vast array of things there is to know about security in modern web applications. Whether you are writing anything beyond a basic website, or even a complex web application, this talk will give you insights to some of the things you need to be aware of.
Schemaless Solr allows documents to be indexed without pre-configuring fields in the schema. As documents are indexed, previously unknown fields are automatically added to the schema with inferred field types. This is implemented using Solr's managed schema, field value class guessing to infer types, and automatic schema field addition. The schema and newly added fields can be accessed via the Schema REST API, and the schema can be modified at runtime when configured as mutable. However, schemaless mode has limitations such as single field analyses and no way to change field types after initial inference.
The document discusses various PHP wrappers that can be used to read and write data in non-standard ways and bypass security restrictions. It describes how wrappers like php://filter, zip://, and data:// can be used to read and write local files, modify file contents, bypass authentication, and perform XXE attacks. It also notes that filters in the php://filter wrapper can be used to selectively remove parts of file contents during I/O operations.
This document provides an overview of PHP and MySQL:
- PHP code is embedded into web pages and used to generate dynamic HTML content. It interacts with databases using MySQL.
- PHP supports variables, arrays, control structures, functions and object-oriented programming. Version 5 added improved OOP support.
- Templates can be used to separate application logic from user interface code for improved maintenance. Common techniques include using templates to modularize content.
PHP 5.3 introduced many new features and improvements including:
- Performance improvements with up to 40% faster speeds on Windows and 5-15% overall.
- New error reporting levels, garbage collection, and the MySQLnd native driver.
- Backwards compatibility changes like deprecated EREG functions and magic methods requirements.
- Namespaces, late static bindings, closures/lambdas, the __callStatic magic method, and get_called_class().
- Additions to the SPL like new iterators, the date/time object, and new constants like __DIR__ and __NAMESPACE__.
BioPerl is an open source collection of Perl modules for bioinformatics. It contains over 550 modules covering tasks like sequence analysis, multiple sequence alignment, and working with common file formats. The modules provide reusable subroutines and methods to parse data, access databases, and perform other common bioinformatics operations. BioPerl code is portable and can be easily incorporated into scripts and programs. The modules are organized into groups and adhere to object-oriented principles in Perl, with classes, methods, and object blessed references.
Code Obfuscation, PHP shells & more
What hackers do once they get passed your code - and how you can detect & fix it.
Content:
- What happens when I get hacked?
- What's code obfuscation?
- What are PHP shells?
- Show me some clever hacks!
- Prevention
- Post-hack cleanup
What is this not about:
- How can I hack a website?
- How can I DoS a website?
- How can I find my insecure code?
The document summarizes a presentation on writing secure Drupal code. It introduces the presenter Tatar Balazs Janos and his experience with Drupal. It then covers common types of vulnerabilities like cross-site scripting, access bypass, SQL injection and how to prevent them. Examples of vulnerable code are provided and improved upon. Best practices discussed include using database queries, input filtering, automated testing and restricting permissions.
This document summarizes a presentation on writing secure Drupal code. It discusses common vulnerabilities like cross-site scripting, access bypass, and SQL injection. It demonstrates how to securely code against these vulnerabilities and recommends using tools like Behat tests, security advisories, and contributing to Drupal to improve security. The presentation encourages writing secure code through sanitizing user input, using database placeholders, and following best practices.
This document summarizes a presentation on secure Drupal coding given by Balazs Janos Tatar at the Drupal Mountain Camp 2019 conference. The presentation covered common types of vulnerabilities like cross-site scripting, access bypass, SQL injection, and discussed ways to prevent them, such as sanitizing user input, using the database API, and implementing access controls correctly. Code snippets were presented and the audience was asked to identify any issues. The goal was to help developers write more secure Drupal code.
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
- The document discusses secure Drupal coding practices presented by Balazs Janos Tatar at DrupalCamp London 2019.
- It covers common vulnerabilities like cross-site scripting, access bypass, SQL injection and how to prevent them through input filtering, access control configuration, and using Drupal's database APIs.
- Tatar also discusses security improvements in Drupal 8 like Twig templates, automated CSRF protection, and content security policy compatibility. He encourages learning from security advisories and reviewing sites for vulnerabilities.
In this session, I'll show the most common vulnerabilities that our Drupal code can have and how we should be prepared to avoid such an insecure code to be released.
The presentation covers trends in vulnerabilities, starting in general aspects then showing Drupal specific ones.
I'll also speak about what we should do if we find any vulnerabilities in contributed solutions.
All backgrounds are welcome from Drupal site builders to contributed projects' maintainers! Every one of you will be able to learn and improve your security awareness as being an active participant in the session. Be ready for some showcases where we'll check Drupal 7 and 8 codes that are vulnerable and will fix them in live!
https://drupalcampkyiv.org/node/27
The document is a presentation on writing secure Drupal code given by Tatar Balazs Janos at DrupalCamp Kyiv 2019. It introduces the speaker and their background working with Drupal security. It then covers trends in security, types of vulnerabilities like cross-site scripting and SQL injection, and methods for preventing vulnerabilities like sanitizing user input and using access control properly.
This document discusses secure coding practices for Drupal. It begins with an introduction of the presenter and covers topics like cross-site scripting, sanitization, access control, SQL injection, and CSRF. Code snippets are provided and attendees are asked to evaluate if they are secure. Recommendations are given around using Drupal APIs, filtering input, and reviewing security advisories. The importance of code reviews, testing, and learning from past issues is stressed.
This document discusses secure coding practices for Drupal. It introduces the speaker and provides an overview of common security issues like cross-site scripting, SQL injection, and access bypass. It demonstrates secure and insecure code snippets and encourages testing code. It also discusses security improvements in Drupal 8 like Twig templating and built-in CSRF protection. The document promotes learning from security advisories and gives resources for additional security-related modules.
Mojolicious is a real-time web framework for Perl that provides a simplified single file mode through Mojolicious::Lite. It has a clean, portable, object oriented API without hidden magic. It supports HTTP, WebSockets, TLS, IPv6 and more. Templates can use embedded Perl and are automatically rendered. Helpers, sessions, routing and testing utilities are built in. The generator can create new app structures and components.
This document provides a tutorial on using PHP and MySQL together. It introduces PHP and MySQL, outlines how to set up a database with MySQL, and includes PHP code examples for adding, querying, updating, and deleting data from the MySQL database. The PHP code examples connect to the database, validate user input, sanitize values, and perform CRUD operations on the database using MySQL queries.
The document contains code snippets in PHP for working with categories and menus in Magento. It includes code to get store categories, loop through them to output the names and IDs, and generate URLs to link to the category pages. There are also code comments related to copyright and licensing for Magento.
This document discusses extending the functionality of Movable Type through plugins. It provides examples of plugins that add new template tags and panels. Plugins allow developers to tap into Movable Type's existing interfaces and extend the capabilities of its core applications. The document also references additional resources for learning more about customizing Movable Type through the use of plugins and its plugin API.
This document discusses using PHP to build rich internet applications (RIAs). It provides examples of using PHP to return XML or JSON data to an RIA client, and using AMFPHP to transfer PHP objects directly to ActionScript clients. It recommends building PHP apps as services that can be consumed by any front-end technology, including Ajax, XAML and Flex, in order to simplify the PHP code.
The document discusses various techniques for securing web applications including input filtering, output escaping, preventing SQL injection and cross-site scripting attacks, and protecting against session hijacking. It provides examples of how to filter and sanitize user input, escape output before sending to remote systems, and regenerate session IDs to prevent session fixation attacks.
12-security.ppt - PHP and Arabic Language - Indexwebhostingguy
The document discusses PHP security best practices. It emphasizes two golden rules: 1) filter all external input and 2) escape all output. It provides examples of filtering user-submitted data and escaping it before displaying or inserting into a database. It also covers common attacks like SQL injection, session fixation, and cross-site scripting, explaining how to prevent them by following the two golden rules of filtering input and escaping output.
The document discusses PHP security best practices. It emphasizes two golden rules: 1) filter all external input and 2) escape all output. It provides examples of filtering user-submitted data and escaping it before displaying to browsers or inserting into databases. It also covers common attacks like SQL injection, session hijacking, and cross-site scripting, explaining how to prevent them by following the two golden rules of filtering input and escaping output.
This document discusses using Flask and Eve to build a REST API with Python in 3 days. It introduces Flask as a microframework for building web applications with Python. Eve is presented as a Python framework built on Flask that allows building RESTful APIs with MongoDB in a simple way. The document provides examples of creating basic Flask and Eve apps, configuring Eve settings like schemas and authentication, and describes many features of Eve like filtering, sorting, pagination and validation.
Similar to Let's write secure Drupal code! - DrupalCamp Belarus 2019 (20)
Software Development Weaknesses - SecOSdays Sofia, 2019Balázs Tatár
The OWASP Top 10 is a powerful awareness document for web application security, the latest version was released in 2017. It represents industry standards weaknesses that are the most critical ones in terms of their security risk.
In this talk we go into details of all its items, matching them with vulnerability types from the CWE (Common Weakness Enumeration) category system.
To understand the most common security issues and their consequences, one of the best ways is to learn about prevention.
Most of them can be remediated at a low cost if they are discovered during the development phase - in this session we're going to check Java, C, PHP, Perl and other programming languages in order to raise awareness for secure software development.
Security Awareness for Open Source Web ApplicationsBalázs Tatár
This document discusses security awareness and practices. It begins by introducing Tatár Balázs János and his background in open source. It then discusses security awareness programs for employees, organizational security structures, and easy steps small businesses can take. Subsequent sections cover security issues as "bugs", planning security from the start of projects, thinking like attackers to test security, and key security principles. The document emphasizes that stakeholders understanding security basics is important and outlines various security assessment and review methods. It closes by discussing vulnerability management, trusted sources for fixes, and the TYPO3 security team and advisories.
A bug's life - Decoupled Drupal Security and Vulnerability ManagementBalázs Tatár
The document discusses security concepts and best practices for software development. It covers topics like security awareness training, organizational security structures, vulnerability assessments, penetration testing, and the three pillars of security - confidentiality, integrity, and availability. Security is discussed across various stages of the development lifecycle from planning to ongoing maintenance.
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
The document discusses security awareness and vulnerability management. It describes the need for security policies and education programs within organizations. It also outlines various security assessment methods like vulnerability assessments, security audits, and penetration testing. Throughout, it uses metaphors relating to bugs and butterflies to illustrate different stages of the software development and security process.
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
Tatar Balazs Janos gave a presentation on Drupal application security and vulnerability management. The presentation covered topics such as security awareness in the workplace, planning for security, web security best practices, security testing, vulnerability management, and risk assessment. The goal was to educate attendees on how to build security into the design, development, and maintenance of applications.
This document advertises mentoring opportunities for contributing to Drupal at DrupalCon Seattle. It provides information on Birds of a Feather sessions, orientation sessions, workshops for first time contributors, and dedicated spaces for mentored and general contribution. It encourages people to get involved in different contributor roles and lists topics for contribution.
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...Balázs Tatár
This document provides an overview of Drupal security from Balazs Janos Tatar, a security analyst for the European Commission. It discusses how Tatar got involved in security work, the Drupal Security Team's disclosure policy and process for security advisories. It also covers how risk is assessed for Drupal modules and lessons learned from past high profile vulnerabilities in Drupal core software. The presentation aims to help others understand Drupal security practices and processes.
This document provides information about Drupal Mentoring events at Drupal Europe, including contribution days on Mondays and Fridays, Birds of a Feather sessions on Tuesdays and Thursdays, and mentored contribution sessions throughout the week. It encourages contribution to Drupal in roles like translating, content strategy, project management, and marketing. Links are provided to resources on setting up a local development environment, a spreadsheet of contribution topics, and information for becoming a mentor.
- The document discusses quality assurance practices for Drupal projects, including tools for code quality and testing like PHP Mess Detector, PHPUnit, and Behat.
- It describes the European Commission's Next Europa CMS, which uses Drupal 7, and their standardized QA process and maintenance team.
- The presentation provides an overview of quality assurance in general and recommendations for small projects, like using standards, documentation, and clear workflows.
Quality assurance in practice - coffee meeting, January, DIGITBalázs Tatár
The document discusses quality assurance procedures for subsites on the Next Europa WCMS. It notes that feature requests and module reviews are updated and feedback is provided by the maintenance team. Development then occurs either with a starterkit or custom solution, followed by delivery to a stash repository on feature branches. A QA procedure is then followed involving a playground deployment and eventual production deployment. The document concludes by thanking the audience and providing contact details for the author.
Quality assurance in practice - brussels drupal meetupBalázs Tatár
This document discusses quality assurance practices for Drupal projects. It defines quality assurance and provides examples of tools that can be used, such as PHP Mess Detector and PHPUnit. It also discusses establishing standards, documentation, workflows and project management. The document outlines quality assurance processes for the Next Europa Drupal multisite project at the European Commission.
Quality assurance (QA) helps improve projects by implementing standards, documentation, and clear workflows. The presenter discusses QA for the Next Europa WCMS project at the European Commission, which uses a standardized QA process and tools to validate subprojects. Various code quality and testing tools are presented, including PHP Mess Detector and PHPUnit. Drupal 8 focuses on cleaning up code based on coding standards through tools like PHP Code Sniffer and the deprecated Coder module.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
2. Who am I?
Tatar Balazs Janos
@tatarbj
Works with Drupal since 2007
CTO @ Petend
Drupal Security Correspondent @ EC
Active mentor @ Mentoring community group
Provisional member @ Drupal Security Team
SecOSdreamer @ Secure Open Source day
17. Client side vulnerability
Unfiltered output
Never trust any user input.
We’ve seen the demo before ;)
Cross Site Scripting
Tatar Balazs Janos - @tatarbj
21. Everyone has a bingo card (check your bag!)
If you answer well, mark the number!
Wrong answer = no number!
First who shouts BINGO! wins the price!
Rules and etiquette
Tatar Balazs Janos - @tatarbj
49. Use behat/automated tests.
<script>alert('XSS')</script>
<img src="a" onerror="alert('title')">
Check your filters and user roles.
Do not give too many options to untrusted users!
Protection against Cross Site Scripting
Tatar Balazs Janos - @tatarbj
51. User can access/do something.
Menu items can be defined to be
accessed/denied.
Many access systems: node, entity, field, views...
Access bypass
Tatar Balazs Janos - @tatarbj
72. Visit node/nid and other urls
Visit anything/%node
Use behat/automated tests.
node_access, entity_access
Menu definitions
user_access for permissions
$query->addTag('node_access')
Protection against Access bypass
Tatar Balazs Janos - @tatarbj
74. Unauthorized access to database resources.
Do not trust any user input.
SA-CORE-2014-005 – Highly critical D7 SA
SQL Injection
Tatar Balazs Janos - @tatarbj
92. Use always drupal Database API!
db_query with :placeholder (deprecated in D8,
in D9 will be removed)
Filter parameters
Check the queries in code.
username' AND 1=1
POST requests by curl
Protection against SQL Injection
Tatar Balazs Janos - @tatarbj
94. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>
Tatar Balazs Janos - @tatarbj
95. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>
Tatar Balazs Janos - @tatarbj
96. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
do {
// Find a secure random number within the range needed.
$index = ord(drupal_random_bytes(1));
} while ($index > $len);
$pass .= $allowable_characters[$index];
}
}
?>
Tatar Balazs Janos - @tatarbj
128. *https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf
Many ways Drupal 8 is more secure!*
Twig templates for HTML generation
Removed PHP format
Site configuration exportable, versionable
User content entry and filtering improvements
User session and session always in ID handling
Automated CSRF token protection
Trusted host patterns enforced for requests
Single statement execution for SQL
Clickjacking protection
Content security policy compatibility with Core Javascript API
Tatar Balazs Janos - @tatarbj
130. Security advisories are for
Only stable modules
No alpha, beta, dev
d.org hosted projects
@Maintainers: If you are contacted, be supportive!
Drupal Security Team
Tatar Balazs Janos - @tatarbj
Einstein said: “insanity is when you do the same thing over and over again and expect different results”
Owasp: open web application security project
Reference for the XSS issue that was basically caused by a security misconfiguration.
Hide enabled blocks from selector that are used
Context update from this wednesday
Hide enabled blocks from selector that are used
Context update from this wednesday
Hide enabled blocks from selector that are used
Context update from this wednesday
Not because of having db_query deprecated, but: The $field param is used to derive various table and field names, but in each case the Database API automatically escapes these values. Note that the API does not do this for all arguments!
Not because of having db_query deprecated, but: The $field param is used to derive various table and field names, but in each case the Database API automatically escapes these values. Note that the API does not do this for all arguments!
Not because of having db_query deprecated, but: The $field param is used to derive various table and field names, but in each case the Database API automatically escapes these values. Note that the API does not do this for all arguments!
Not because of having db_query deprecated, but: The $field param is used to derive various table and field names, but in each case the Database API automatically escapes these values. Note that the API does not do this for all arguments!
Mt_rand is not secure enough!
Insecure randomness by Mass Password Reset (SA-CONTRIB-2018-043) by Greg Knaddison