Desmond Israel presents on the Kaspersky Enterprise Space Security solution. It provides endpoint security across multiple device types through Kaspersky Endpoint Security products. The solution uses a 3-layer architecture covering workstations, file servers, and mail servers. It can be deployed in various scenarios using a centralized Kaspersky Administration Kit for management and updates.
D3NY17- Customizing Incapsula to Accommodate Single Sign-OnImperva Incapsula
In this session, learn how the Greek Orthodox Archdiocese of America was able to customize their Incapsula service to accommodate a single sign-on solution.
The document provides an overview of 10 steps for software security according to OWASP-Turkey. It introduces the author Bünyamin Demir and his background and experience in application security. It then discusses key aspects of OWASP and provides code examples for implementing input validation, sanitization, secure cookies, session management, CAPTCHA, path canonicalization, HTTPS, CSRF tokens, and prepared statements.
This document discusses securing EmberJS applications. It begins by introducing the author and their background working on client-side web security. It then provides an overview of the topics covered, which include cross-site request forgery (CSRF), cross-site scripting (XSS), and content security policy (CSP). It explains the architecture of single-page applications like EmberJS applications. It also illustrates common web attacks like CSRF and XSS, and describes approaches to mitigate these attacks in EmberJS applications, including the use of tokens and CSP.
This document discusses why HTTPS and secure certificates are important for websites. Some key points include:
- HTTPS provides benefits like faster loading, improved SEO, and avoiding browser warnings. It also establishes trust with users.
- Common excuses for not using certificates like small site size or not processing payments are invalid, as hackers automate attacks.
- If a web server supports HTTP/2, HTTPS can be faster than HTTP. Tools like Chrome developer tools show the protocol used.
- The process to implement HTTPS involves obtaining a certificate, updating server configurations, and ensuring proper security is configured.
- Resources like Let's Encrypt and Qualsys tools can help simplify certificate management and test security configurations. Maint
The document discusses how the Incapsula support team can help customers who have purchased Incapsula services. It outlines several ways the support team can be contacted, including via a support website, email, or phone. It also describes resources available to customers like knowledge base articles, training courses, and status pages. The document notes there are standard and premium support options with different response times and update intervals. It highlights that emergency escalation is available by phone and identifies enhanced support programs like managed services and technical account managers.
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017Amazon Web Services
Executives from the Intelligence community discuss cloud security best practices in a field where security is imperative to operations. Security Cloud Chief John Nicely and Deputy Chief of Cyber Integration Scott Kaplan share success stories of migrating mass data to the cloud from a security perspective. Hear how they migrated their IT portfolios while managing their organizations' unique blend of constraints, budget issues, politics, culture, and security pressures. Learn how these institutions overcame barriers to migration, and ask these panelists what actions you can take to better prepare yourself for the journey of mass migration to the cloud.
Desmond Israel presents on the Kaspersky Enterprise Space Security solution. It provides endpoint security across multiple device types through Kaspersky Endpoint Security products. The solution uses a 3-layer architecture covering workstations, file servers, and mail servers. It can be deployed in various scenarios using a centralized Kaspersky Administration Kit for management and updates.
D3NY17- Customizing Incapsula to Accommodate Single Sign-OnImperva Incapsula
In this session, learn how the Greek Orthodox Archdiocese of America was able to customize their Incapsula service to accommodate a single sign-on solution.
The document provides an overview of 10 steps for software security according to OWASP-Turkey. It introduces the author Bünyamin Demir and his background and experience in application security. It then discusses key aspects of OWASP and provides code examples for implementing input validation, sanitization, secure cookies, session management, CAPTCHA, path canonicalization, HTTPS, CSRF tokens, and prepared statements.
This document discusses securing EmberJS applications. It begins by introducing the author and their background working on client-side web security. It then provides an overview of the topics covered, which include cross-site request forgery (CSRF), cross-site scripting (XSS), and content security policy (CSP). It explains the architecture of single-page applications like EmberJS applications. It also illustrates common web attacks like CSRF and XSS, and describes approaches to mitigate these attacks in EmberJS applications, including the use of tokens and CSP.
This document discusses why HTTPS and secure certificates are important for websites. Some key points include:
- HTTPS provides benefits like faster loading, improved SEO, and avoiding browser warnings. It also establishes trust with users.
- Common excuses for not using certificates like small site size or not processing payments are invalid, as hackers automate attacks.
- If a web server supports HTTP/2, HTTPS can be faster than HTTP. Tools like Chrome developer tools show the protocol used.
- The process to implement HTTPS involves obtaining a certificate, updating server configurations, and ensuring proper security is configured.
- Resources like Let's Encrypt and Qualsys tools can help simplify certificate management and test security configurations. Maint
The document discusses how the Incapsula support team can help customers who have purchased Incapsula services. It outlines several ways the support team can be contacted, including via a support website, email, or phone. It also describes resources available to customers like knowledge base articles, training courses, and status pages. The document notes there are standard and premium support options with different response times and update intervals. It highlights that emergency escalation is available by phone and identifies enhanced support programs like managed services and technical account managers.
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017Amazon Web Services
Executives from the Intelligence community discuss cloud security best practices in a field where security is imperative to operations. Security Cloud Chief John Nicely and Deputy Chief of Cyber Integration Scott Kaplan share success stories of migrating mass data to the cloud from a security perspective. Hear how they migrated their IT portfolios while managing their organizations' unique blend of constraints, budget issues, politics, culture, and security pressures. Learn how these institutions overcame barriers to migration, and ask these panelists what actions you can take to better prepare yourself for the journey of mass migration to the cloud.
With the Nexus Protocol Gateway, PKI Suite, and Access Manager it is very simple to enrol a device and to get access to the corporate resource that a certain user should have access to.
The document provides an introduction to secure coding in Java. It discusses the Open Web Application Security Project (OWASP) and its mission to improve software security. It then covers 10 simple principles for writing secure code, such as input validation, output encoding, and parameterized queries. Examples of SQL injection and LDAP injection vulnerabilities are shown, along with ways to avoid them through parameterization and input sanitization. The importance of using security mechanisms from trusted libraries rather than reimplementing them is also stressed.
This document discusses Content Security Policy (CSP), which defines an HTTP header to whitelist approved sources of content like scripts to prevent XSS attacks. It describes how CSP directives like script-src restrict where code can be loaded from to enhance security. The speaker then demonstrates how to construct CSP policies and explains options like 'unsafe-inline' that disable the protection CSP is meant to provide. In the end, resources on CSP that informed the presentation are listed.
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...Amazon Web Services
Making sense of the risks of IT deployments that sit in hybrid environments and span multiple countries is a major challenge. When you add in multiple toolsets, and global compliance requirements, including GDPR, it can get overwhelming. Listen to Vonage’s Chief Information Security Officer, Johan Hybinette, share his experiences tackling these challenges. Vonage is an established leader with 15 years of experience providing residential and business communications solutions in global markets. With a robust solution for end users, solutions offered by Vonage require a sophisticated, reliable technology stack—that technology is spread between on-premises and AWS Cloud environments. Johan shares lessons learned to achieve a successful and secure cloud deployment. How does GDPR impact a multinational hybrid deployment? Can security drive tool adoption among developers? What’s a practical approach to maintaining flexibility and a rapid pace of innovation, while providing world-class security for your customer? Get answers to all these questions and a jumpstart on your challenges from an industry leader.
Session sponsored by Trend Micro Incorporated
A Risk-Based Mobile App Security Testing StrategyNowSecure
Originally presented on September 19, 2018
Given the volume and velocity of mobile apps, there simply aren’t enough resources to test them all in the same manner. There has to be a better way. NowSecure introduces a new framework to help organizations craft a Risk-Based Mobile App Security Testing strategy.
Watch the presentation here: https://www.nowsecure.com/webinars/a-risk-based-mobile-app-security-testing-strategy/
Get an inside look at Incapsula Security, straight from the Security Research Team. Plus, get your vulnerability management strategy on track by assessing the automated threats you face and learn about the new security features we’re working on to keep you protected.
DevSecOps is the premise that everyone in the software development lifecycle is responsible for security. DevSecOps aims to embed security in every part of the development process. In this *workshop*, participants explore taking a standard CI/CD pipeline and adding security stages to improve security posture. Learn how to use AWS CodeCommit and AWS CodePipeline to build and publish golden AMI images. Also, learn how to modify pipeline flow to add security test cases. You also have to opportunity to perform CVE analysis and code analysis using Amazon Inspector and perform observational container analysis using Amazon GuardDuty.
Slides from my talk at the first AWS Community Day in Bangalore
https://www.meetup.com/awsugblr/events/243819403/
Speaker notes: https://medium.com/@adhorn/10-lessons-from-10-years-of-aws-part-1-258b56703fcf
and https://medium.com/@adhorn/10-lessons-from-10-years-of-aws-part-2-5dd92b533870
The list is not in any particular order :)
Cloud computing gives you a number of advantages, such as the ability to scale your web application or website on demand. If you have a new web application and want to use cloud computing, you might be asking yourself, "Where do I start?" Join us in this session to understand best practices for scaling your resources from one to millions of users. We show you how to best combine different AWS services, how to make smarter decisions for architecting your application, and how to scale your infrastructure in the cloud.
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Amazon Web Services
Managing AWS and hybrid environments securely and safely while having actionable insights is an operational priority and business driver for all customers. Using SSH or RDP sessions could lead to unintended or malicious outcomes with no traceability. Learn to use Amazon EC2 Systems Manager to improve your security posture, automate at scale, and minimize application downtime for both Windows and Linux workloads. Easily author configurations to automate your infrastructure without SSH access, and control the blast radius of configuration changes. Get a cross-account and cross-region view of what’s installed and running on your servers or instances. Learn to use Systems Manager to securely store, manage, and retrieve secrets. You can also run patch compliance checks on the fleet to react to malware and vulnerabilities within minutes, while still providing granular control to users with different privilege levels and full auditability. You will hear from FINRA, the Financial Industry Regulatory Authority, on how they use Systems Manager to safely manage their Enterprise environment.
CIS14: Best Practices You Must Apply to Secure Your APIsCloudIDSummit
Scott Morrison, CA Technologies
Good practices to put in place and the common security antipatterns you must avoid to ensure your company’s APIs are reliable, safe and secure; includes top ways hackers exploit APIs in the wild, common identity pitfalls and how to avoid them, why OAuth scopes are essential to master, and how to keep web developers from bringing bad habits with them.
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...Amazon Web Services
We’ve seen companies like fast-growing startups and large enterprises adopt and evolve strategies to optimize their application deployment to Amazon EC2. Some AWS customers perform in-place updates across their servers. Some perform blue-green deployments to newly provisioned servers. In this session, we’ll share the advantages of each approach and talk about the scenarios in which you should choose one over the other. We will also demonstrate how to perform auto-scaling and auto-rollback for deployments.
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...Amazon Web Services
AWS enables companies to build innovative cloud applications combining technologies like Alexa, AWS IoT, and AWS Lambda with enterprise-scale, microservice backends. After these applications move into production, there are teams responsible for monitoring all components and providing insights needed to optimize the customer experience. In this session, we share an easy-to-apply framework to build all components successfully to get the answers needed to run and improve every application, no matter how complicated. First, we lay the foundation with powerful tools in the AWS ecosystem like Amazon CloudWatch, AWS CloudTrail, and AWS X-Ray. Then, we complement these insights with approaches for monitoring frontend web and mobile performance and behavior, eventually extending into IoT devices. Finally, we show how to derive actionable insights from all the gathered data and integrate it into enterprise-grade monitoring platforms.
Session sponsored by Dynatrace
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoTAmazon Web Services
The AWS IoT message broker is a fully managed publish/subscribe broker service that enables the sending and receiving of messages between devices and applications with high speed and reliability. In this session, learn about the common AWS IoT messaging patterns and dive deep into understanding the scaling best practices while using these patterns in applications. In addition, Amazon Music talks about how they used AWS IoT to build event notifications of soccer games in their applications for our customers.
Related OSS Projects - Peter Rowe, Flexera SoftwareOpenStack
Audience Level
Intermediate
Synopsis
Today’s fast-paced development environment has changed the compliance landscape. Many software projects consist of more than 50% Open Source Software (OSS) components, but as much as 99% are undocumented, increasing the complexities of managing your company’s software compliance process.
Of particular concern is “Zombie software”, or software that is outdated and contains vulnerable versions of certain components. Zombies can live in your code forever if you’re not aware of them. The acceleration of modern development lifecycles and the breakdown of an undocumented software supply chain have opened up new pathways for zombies to enter your software – leaving you exposed to security threats.
This presentation discusses best practices for implementing an Open Source Software management strategy that covers common pitfalls and commercial licence issues as well as the optimal way to track and eliminate the risks associated with Zombies!
Speaker Bio:
Involved in and around IT development for over 20 years, starting as a web developer using NotePad in 1995 when the most exciting thing online was Sun’s animated Java coffee cup, through Numega Pre-Sales selling BoundsChecker and now into the brave, new World of Open Source and software composition analysis.
Driving Innovation with Containers - CON203 - re:Invent 2017Amazon Web Services
Containers allow you to easily package an application's code, configurations, and dependencies into easy to use building blocks that deliver environmental consistency, operational efficiency, developer productivity, and version control. But how can developers leverage containers to drive innovation for their applications, their team, and organization?
In this session, Asif Khan Technical Business Manager for AWS will discuss how containers are becoming a new cloud native compute primitive, and how your organization can use containers as a building block to accelerate innovation.
WeWork's Christopher Tava, Joshua Davis, and OpsLine's Radek Wierzbicki will show how they adopted containers as discipline in code development, and how they refactored their production architecture into containers running on Amazon ECS in under 8 months.
"Containers allow you to easily package an application's code, configurations, and dependencies into easy to use building blocks that deliver environmental consistency, operational efficiency, developer productivity, and version control. But how can developers leverage containers to drive innovation for their applications, their team, and organization?
In this session, Asif Khan Technical Business Manager for AWS will discuss how containers are becoming a new cloud native compute primitive, and how your organization can use containers as a building block to accelerate innovation.
WeWork's Christopher Tava, Joshua Davis, and OpsLine's Radek Wierzbicki will show how they adopted containers as discipline in code development, and how they refactored their production architecture into containers running on Amazon ECS in under 8 months."
Containers on AWS - State of the Union - CON201 - re:Invent 2017Amazon Web Services
Just over four years after the first public release of Docker, and three years to the day after the launch of Amazon EC2 Container Service, the use of containers has surged to run a significant percentage of production workloads at startups and enterprise organizations. Join Deepak Singh, General Manager of Amazon Container Services, as we cover the state of containerized application development and deployment trends, new container capabilities on AWS that are available now, options for running containerized applications on AWS, and how AWS customers successfully run container workloads in production.
SID302_Force Multiply Your Security Team with Automation and AlexaAmazon Web Services
Adversaries automate. Who says the good guys can't as well? By combining AWS offerings like AWS CloudTrail, Amazon Cloudwatch, AWS Config, and AWS Lambda with the power of Amazon Alexa, you can do more security tasks faster, with fewer resources. Force multiplying your security team is all about automation! Last year, we showed off penetration testing at the push of an (AWS IoT) button, and surprise-previewed how to ask Alexa to run Inspector as-needed. Want to see other ways to ask Alexa to be your cloud security sidekick? We have crazy new demos at the ready to show security geeks how to sling security automation solutions for their AWS environments (and impress and help your boss, too).
With the Nexus Protocol Gateway, PKI Suite, and Access Manager it is very simple to enrol a device and to get access to the corporate resource that a certain user should have access to.
The document provides an introduction to secure coding in Java. It discusses the Open Web Application Security Project (OWASP) and its mission to improve software security. It then covers 10 simple principles for writing secure code, such as input validation, output encoding, and parameterized queries. Examples of SQL injection and LDAP injection vulnerabilities are shown, along with ways to avoid them through parameterization and input sanitization. The importance of using security mechanisms from trusted libraries rather than reimplementing them is also stressed.
This document discusses Content Security Policy (CSP), which defines an HTTP header to whitelist approved sources of content like scripts to prevent XSS attacks. It describes how CSP directives like script-src restrict where code can be loaded from to enhance security. The speaker then demonstrates how to construct CSP policies and explains options like 'unsafe-inline' that disable the protection CSP is meant to provide. In the end, resources on CSP that informed the presentation are listed.
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...Amazon Web Services
Making sense of the risks of IT deployments that sit in hybrid environments and span multiple countries is a major challenge. When you add in multiple toolsets, and global compliance requirements, including GDPR, it can get overwhelming. Listen to Vonage’s Chief Information Security Officer, Johan Hybinette, share his experiences tackling these challenges. Vonage is an established leader with 15 years of experience providing residential and business communications solutions in global markets. With a robust solution for end users, solutions offered by Vonage require a sophisticated, reliable technology stack—that technology is spread between on-premises and AWS Cloud environments. Johan shares lessons learned to achieve a successful and secure cloud deployment. How does GDPR impact a multinational hybrid deployment? Can security drive tool adoption among developers? What’s a practical approach to maintaining flexibility and a rapid pace of innovation, while providing world-class security for your customer? Get answers to all these questions and a jumpstart on your challenges from an industry leader.
Session sponsored by Trend Micro Incorporated
A Risk-Based Mobile App Security Testing StrategyNowSecure
Originally presented on September 19, 2018
Given the volume and velocity of mobile apps, there simply aren’t enough resources to test them all in the same manner. There has to be a better way. NowSecure introduces a new framework to help organizations craft a Risk-Based Mobile App Security Testing strategy.
Watch the presentation here: https://www.nowsecure.com/webinars/a-risk-based-mobile-app-security-testing-strategy/
Get an inside look at Incapsula Security, straight from the Security Research Team. Plus, get your vulnerability management strategy on track by assessing the automated threats you face and learn about the new security features we’re working on to keep you protected.
DevSecOps is the premise that everyone in the software development lifecycle is responsible for security. DevSecOps aims to embed security in every part of the development process. In this *workshop*, participants explore taking a standard CI/CD pipeline and adding security stages to improve security posture. Learn how to use AWS CodeCommit and AWS CodePipeline to build and publish golden AMI images. Also, learn how to modify pipeline flow to add security test cases. You also have to opportunity to perform CVE analysis and code analysis using Amazon Inspector and perform observational container analysis using Amazon GuardDuty.
Slides from my talk at the first AWS Community Day in Bangalore
https://www.meetup.com/awsugblr/events/243819403/
Speaker notes: https://medium.com/@adhorn/10-lessons-from-10-years-of-aws-part-1-258b56703fcf
and https://medium.com/@adhorn/10-lessons-from-10-years-of-aws-part-2-5dd92b533870
The list is not in any particular order :)
Cloud computing gives you a number of advantages, such as the ability to scale your web application or website on demand. If you have a new web application and want to use cloud computing, you might be asking yourself, "Where do I start?" Join us in this session to understand best practices for scaling your resources from one to millions of users. We show you how to best combine different AWS services, how to make smarter decisions for architecting your application, and how to scale your infrastructure in the cloud.
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Amazon Web Services
Managing AWS and hybrid environments securely and safely while having actionable insights is an operational priority and business driver for all customers. Using SSH or RDP sessions could lead to unintended or malicious outcomes with no traceability. Learn to use Amazon EC2 Systems Manager to improve your security posture, automate at scale, and minimize application downtime for both Windows and Linux workloads. Easily author configurations to automate your infrastructure without SSH access, and control the blast radius of configuration changes. Get a cross-account and cross-region view of what’s installed and running on your servers or instances. Learn to use Systems Manager to securely store, manage, and retrieve secrets. You can also run patch compliance checks on the fleet to react to malware and vulnerabilities within minutes, while still providing granular control to users with different privilege levels and full auditability. You will hear from FINRA, the Financial Industry Regulatory Authority, on how they use Systems Manager to safely manage their Enterprise environment.
CIS14: Best Practices You Must Apply to Secure Your APIsCloudIDSummit
Scott Morrison, CA Technologies
Good practices to put in place and the common security antipatterns you must avoid to ensure your company’s APIs are reliable, safe and secure; includes top ways hackers exploit APIs in the wild, common identity pitfalls and how to avoid them, why OAuth scopes are essential to master, and how to keep web developers from bringing bad habits with them.
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...Amazon Web Services
We’ve seen companies like fast-growing startups and large enterprises adopt and evolve strategies to optimize their application deployment to Amazon EC2. Some AWS customers perform in-place updates across their servers. Some perform blue-green deployments to newly provisioned servers. In this session, we’ll share the advantages of each approach and talk about the scenarios in which you should choose one over the other. We will also demonstrate how to perform auto-scaling and auto-rollback for deployments.
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...Amazon Web Services
AWS enables companies to build innovative cloud applications combining technologies like Alexa, AWS IoT, and AWS Lambda with enterprise-scale, microservice backends. After these applications move into production, there are teams responsible for monitoring all components and providing insights needed to optimize the customer experience. In this session, we share an easy-to-apply framework to build all components successfully to get the answers needed to run and improve every application, no matter how complicated. First, we lay the foundation with powerful tools in the AWS ecosystem like Amazon CloudWatch, AWS CloudTrail, and AWS X-Ray. Then, we complement these insights with approaches for monitoring frontend web and mobile performance and behavior, eventually extending into IoT devices. Finally, we show how to derive actionable insights from all the gathered data and integrate it into enterprise-grade monitoring platforms.
Session sponsored by Dynatrace
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoTAmazon Web Services
The AWS IoT message broker is a fully managed publish/subscribe broker service that enables the sending and receiving of messages between devices and applications with high speed and reliability. In this session, learn about the common AWS IoT messaging patterns and dive deep into understanding the scaling best practices while using these patterns in applications. In addition, Amazon Music talks about how they used AWS IoT to build event notifications of soccer games in their applications for our customers.
Related OSS Projects - Peter Rowe, Flexera SoftwareOpenStack
Audience Level
Intermediate
Synopsis
Today’s fast-paced development environment has changed the compliance landscape. Many software projects consist of more than 50% Open Source Software (OSS) components, but as much as 99% are undocumented, increasing the complexities of managing your company’s software compliance process.
Of particular concern is “Zombie software”, or software that is outdated and contains vulnerable versions of certain components. Zombies can live in your code forever if you’re not aware of them. The acceleration of modern development lifecycles and the breakdown of an undocumented software supply chain have opened up new pathways for zombies to enter your software – leaving you exposed to security threats.
This presentation discusses best practices for implementing an Open Source Software management strategy that covers common pitfalls and commercial licence issues as well as the optimal way to track and eliminate the risks associated with Zombies!
Speaker Bio:
Involved in and around IT development for over 20 years, starting as a web developer using NotePad in 1995 when the most exciting thing online was Sun’s animated Java coffee cup, through Numega Pre-Sales selling BoundsChecker and now into the brave, new World of Open Source and software composition analysis.
Driving Innovation with Containers - CON203 - re:Invent 2017Amazon Web Services
Containers allow you to easily package an application's code, configurations, and dependencies into easy to use building blocks that deliver environmental consistency, operational efficiency, developer productivity, and version control. But how can developers leverage containers to drive innovation for their applications, their team, and organization?
In this session, Asif Khan Technical Business Manager for AWS will discuss how containers are becoming a new cloud native compute primitive, and how your organization can use containers as a building block to accelerate innovation.
WeWork's Christopher Tava, Joshua Davis, and OpsLine's Radek Wierzbicki will show how they adopted containers as discipline in code development, and how they refactored their production architecture into containers running on Amazon ECS in under 8 months.
"Containers allow you to easily package an application's code, configurations, and dependencies into easy to use building blocks that deliver environmental consistency, operational efficiency, developer productivity, and version control. But how can developers leverage containers to drive innovation for their applications, their team, and organization?
In this session, Asif Khan Technical Business Manager for AWS will discuss how containers are becoming a new cloud native compute primitive, and how your organization can use containers as a building block to accelerate innovation.
WeWork's Christopher Tava, Joshua Davis, and OpsLine's Radek Wierzbicki will show how they adopted containers as discipline in code development, and how they refactored their production architecture into containers running on Amazon ECS in under 8 months."
Containers on AWS - State of the Union - CON201 - re:Invent 2017Amazon Web Services
Just over four years after the first public release of Docker, and three years to the day after the launch of Amazon EC2 Container Service, the use of containers has surged to run a significant percentage of production workloads at startups and enterprise organizations. Join Deepak Singh, General Manager of Amazon Container Services, as we cover the state of containerized application development and deployment trends, new container capabilities on AWS that are available now, options for running containerized applications on AWS, and how AWS customers successfully run container workloads in production.
SID302_Force Multiply Your Security Team with Automation and AlexaAmazon Web Services
Adversaries automate. Who says the good guys can't as well? By combining AWS offerings like AWS CloudTrail, Amazon Cloudwatch, AWS Config, and AWS Lambda with the power of Amazon Alexa, you can do more security tasks faster, with fewer resources. Force multiplying your security team is all about automation! Last year, we showed off penetration testing at the push of an (AWS IoT) button, and surprise-previewed how to ask Alexa to run Inspector as-needed. Want to see other ways to ask Alexa to be your cloud security sidekick? We have crazy new demos at the ready to show security geeks how to sling security automation solutions for their AWS environments (and impress and help your boss, too).
Easy and Scalable Log Analytics with Amazon Elasticsearch Service - ABD326 - ...Amazon Web Services
- Applications generate logs. Infrastructure generates logs. Even humans generate logs (though we usually call that “medical data”). By ingesting and analyzing logs, you can gain understanding of how complex systems operate and quickly discover and diagnose when they don’t work as they should. In this workshop, we ingest and analyze log streams using Amazon Kinesis Firehose and Amazon Elasticsearch Service. You should come with an understanding of AWS fundamentals (Amazon EC2, Amazon S3, and security groups). You need a laptop with a Chrome or Firefox browser.
IOT311_Customer Stories of Things, Cloud, and Analytics on AWSAmazon Web Services
In this session, AWS IoT customers talk about the nuances, successes, and challenges of running large-scale IoT deployments on AWS. Hear from customers who have been operating on AWS IoT. Learn from their war stories of development and their architectural recommendations on technical best practices on IoT.
Testing and Troubleshooting with AWS Device Farm - MBL301 - re:Invent 2017Amazon Web Services
Testing your mobile app is important! In this session, learn about UI testing and how to build UI tests, then run the UI tests on a variety of mobile devices in the cloud. Learn how you can go completely device free by using devices in the cloud for your development. Also, learn about using tools like Appium and Jenkins as part of your testing and QA process. We use PWA and native apps in this session to show the difference.
This document discusses the history and future of open sourcing infrastructure. It describes how Linux and open source software grew from being seen as "cheap Unix" to becoming ubiquitous. Factors like the LAMP stack, concerns around vendor lock-in, and a need for greater automation drove more organizations to use open source options. Now open source powers much of modern infrastructure through tools like Docker, Kubernetes, and DC/OS. Going forward, the document advocates open sourcing entire infrastructure stacks to avoid vendor lock-in and allow for community ownership and contributions from anywhere.
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsPeter Muessig
The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfVALiNTRY360
Salesforce Healthcare CRM, implemented by VALiNTRY360, revolutionizes patient management by enhancing patient engagement, streamlining administrative processes, and improving care coordination. Its advanced analytics, robust security, and seamless integration with telehealth services ensure that healthcare providers can deliver personalized, efficient, and secure patient care. By automating routine tasks and providing actionable insights, Salesforce Healthcare CRM enables healthcare providers to focus on delivering high-quality care, leading to better patient outcomes and higher satisfaction. VALiNTRY360's expertise ensures a tailored solution that meets the unique needs of any healthcare practice, from small clinics to large hospital systems.
For more info visit us https://valintry360.com/solutions/health-life-sciences
When it is all about ERP solutions, companies typically meet their needs with common ERP solutions like SAP, Oracle, and Microsoft Dynamics. These big players have demonstrated that ERP systems can be either simple or highly comprehensive. This remains true today, but there are new factors to consider, including a promising new contender in the market that’s Odoo. This blog compares Odoo ERP with traditional ERP systems and explains why many companies now see Odoo ERP as the best choice.
What are ERP Systems?
An ERP, or Enterprise Resource Planning, system provides your company with valuable information to help you make better decisions and boost your ROI. You should choose an ERP system based on your company’s specific needs. For instance, if you run a manufacturing or retail business, you will need an ERP system that efficiently manages inventory. A consulting firm, on the other hand, would benefit from an ERP system that enhances daily operations. Similarly, eCommerce stores would select an ERP system tailored to their needs.
Because different businesses have different requirements, ERP system functionalities can vary. Among the various ERP systems available, Odoo ERP is considered one of the best in the ERp market with more than 12 million global users today.
Odoo is an open-source ERP system initially designed for small to medium-sized businesses but now suitable for a wide range of companies. Odoo offers a scalable and configurable point-of-sale management solution and allows you to create customised modules for specific industries. Odoo is gaining more popularity because it is built in a way that allows easy customisation, has a user-friendly interface, and is affordable. Here, you will cover the main differences and get to know why Odoo is gaining attention despite the many other ERP systems available in the market.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
UI5con 2024 - Bring Your Own Design SystemPeter Muessig
How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
* The tools and processes I recommend are simply things which I have used on my projects or personal research which worked for me. There are many additional alternatives out there and I try to include both open source and commercial products.
Intro into Coveros -> local software company who specializes in creating secure code and DevOps solutions
Focus on tools, less on techniques. Not in depth -> list tools instead
Ending -> now here is another related talk (Coveros presents)
I will be available after the talk to answer some questions. And If you like what you heard here, please attend the talk X about Y…
Before leaving for Japan, drop presentation onto Google drive in case Gene needs to take care of anything
What is the OWASP Top 10? It is a list of vulnerabilities created by security professionals to define the most critical security risks. There are multiple top 10 OWASP lists, but their flagship list is the OWASP Top 10 Most Critical Web Application Security Risks. This talk highlights the release candidate for 2017.
Although this candidate was recently rejected, the vulnerabilities have not changed drastically throughout the years and the methods of detection and the tools used will provide a stronger security posture for your applications
Yeah. This slide is a little light. I’ve found a lot of issues with scanning tools and determining correctly if sql injection is possible and if so, how or what may be gained.
Manual testing is important and you need to understand how SQL injection works, but the initial steps may be automated with a tool, such as Sqlmap.
As the name implies, sqlmap focuses on sql injection attempts. To expand on the security tests performed, why not also use Wfuzz, a web application bruteforcing tool which attempts to find and exploit various known issues.
In terms of xxe, that really requires an in depth knowledge of how data is stored and passed within the application.
The OWASP Zed Attack Proxy, or ZAP for short, and Burp Suite Professional will attempt to find available web pages and fuzz data entry points. However, a tool can only take you so far. You can also use Wfuzz or a similar tool. However, these are only an initial step. The tester must attempt to break the business logic of an application. Meaning the responsibility for testing this should fall on someone very familiar with the target application. Running a blind scan may be as detrimental as not running a scan at all.
Manual testing scenarios: attempt to break password reset functions. Or login as an administrator, record the pages traversed and attempt to reach them as a lower privileged user
Mention obfuscation
This is the fist slide where I really highlight ZAP and Burp because it’s the first slide where they tend to do well. These tools attempt to find where injection may be possible, but I have found those instances to be full of false positives in identifying a legitimate SQL injection vulnerability as opposed to just a part of the application which interacts with the database. Likewise for broken authentication, I have found these tools can quickly iterate through known or common authentication issues, but that they are incapable of a deep dive into an underlying business logic flaw. These tools to tend to do a great job at identifying XSS instances and in iterating through a wide library of vulnerabilities to verify if they vulnerability is exploitable.
Formerly Insecure Direct Object References and Missing Function Level Access Control
Much like authentication, tools, such as Burp and Zap attempt to break or identify weak access controls. These must also be supplemented with manual testing.
Manual testing:
I like running through 4 different steps to test access.
Login as an administrator and browse to a critical file and perform an admin function
Login as a regular user and attempt to access the file and admin function. Browse around to find a personal file for this account and perform a process unique to this user
Login as another regular user, preferably with different credentials or access rights, and attempt to access the other regular user’s personal file and perform the process unique to that user. Also attempt to perform previously identified admin functions
Access web app as an unauthenticated user. Attempt to reach and perform all of the above files and functions.
Use Nessus to check for default configurations
For those familiar with the recent Equifax compromise, it came to light that in Argentina, their privileges accounts used admin/admin as its username/password.
It may not be returned in the gui, but review requests and responses to ensure data is not bleeding unnecessarily.
Multipronged approach: static – sonarqube and fortify
Dynamic – burp and zap and nikto and wireshark (bleeding sensitive data)
Logging – splunk,
This may be addressed by a two pronged approach. Review source code for objects containing sensitive data and check dynamically for sensitive data being used. Static analysis tools, such as SonarQube and HP Fortify will search within the code for potential vulnerabilities. Dynamic tools, such as Burp or ZAP will check for sensitive exposures in the deployed application. A logging or monitoring tool, such as Splunk, will alert on strings which appear to contain sensitive data based on regular expressions.
“Detection is ideal, but prevention is a must”
There are countless Host and Network Intrusion Detection services. My only recommendation is to read all of the fine print of every contract and I’m not going down that rabbit hole right now. Since this is the OWASP talk, I’ll mention one of their flagship projects, ModSecurity. This is a versatile and useful method of detecting and preventing when malicious activity is detected.
That being said, all you need is a simple network monitoring tool such as wireshark to review communication across your network and gain an understanding of what is expected. This can help you create a baseline and identify when any anomalous traffic is generated.
Blocked by using randomized tokens within body of request
Burp and Zap can check for CSRF weaknesses. However, full exploitation and vulnerability assessments require manual review and testing.
Issues I have observed which tools have failed to detect: csrf being constant throughout a session or the same for repeated sessions. Most tools will only check that a CSRF token exists. They do not track this value by default or perform sufficient testing to prove its predictability.
Sonatype CLM
OWASP Dependency Check
Contrast’s RASP
Equifax with struts2
Wannacry and its many variations ransomware attacks through samba
New Category. This was rejected, but I have included it here because I routinely find this as a valid finding.
Also, this is, in many ways, an extension of the old finding: Failure to restrict URL access.
sSome of the endpoints I test have no validation performed on the passed user input.
Not to be paranoid, but everything is connected.
Soap UI