This document discusses the OWASP Top 10 security exploits and provides prevention strategies. It covers injection flaws like SQL injection and command injection, broken authentication and session management, cross-site scripting (XSS), insecure direct object references, security misconfiguration, sensitive data exposure, missing access controls, cross-site request forgery (CSRF), using outdated components with known vulnerabilities, and unvalidated redirects/forwards. The document emphasizes input validation, output encoding, access control, secure configurations, encryption, and updating components to avoid these common vulnerabilities.
In this talk from Ian Amit, he will try to address things from a more tactical (read: practical) perspective for application development. What 'we' see, or want, from a security practitioner perspective is nice, but enabling it from an application view isn't trivial. He'll cover the aspects that the attendees can gain from having applications designed and implemented in certain manners, while of course not changing the way things are being practiced these days (too much). He will also show how logging (yes… plain old boring logging) can go a long way, and how applications that are a bit more self conscience to their state can be utilised to detect attacks before they actually happen.
Keeping it small - Getting to know the Slim PHP micro frameworkJeremy Kendall
Learn what the big deal is about PHP micro frameworks by taking a tour through an application written in Slim PHP. I'll briefly introduce you to some high level concepts, show how those concepts can be implemented in Slim, and see how powerful and elegant micro framework can be.
What it take to move to the next level as a front end developer. Most of the content from this comes from my experience with interviewing @usaa for the past 3 years in san antonio tx (10min Presenation)
Unmasking is the process to remove mask from the face and to reveal the real identity; at defcon17, Robert “RSnake” Hansen & Joshua “Jabra” Abraham have discussed the concept with demonstration
Her ne kadar yazılımların saldırı vektörleri çok fazla olsa da aslında güvenli yazılım geliştirme adına yapılacak pratik çözümler ile çok sayıda uygulama güvenliği problemi ortadan kaldırılabilir. Bu sunum içeriği; güvenli yazılım geliştirme adına yapılması gereken en yaygın 10 pratik çözümü ve örneklerini içeriyor olacaktır.
2009 Barcamp Nashville Web Security 101brian_dailey
A super-brief (25 minute) talk on the basics of web security. A video (with poor audio that doesn't kick in until 9 minutes in, I'm sorry) is available here:
http://www.ustream.tv/recorded/2369801
2nd Annual Start-up Launches with Dr. Werner Vogels (SPOT101) | AWS re:Invent...Amazon Web Services
Attend this fun, fast-paced session and see five AWS-powered start-ups launch on-stage with Amazon.com CTO, Dr. Werner Vogels. You'll hear directly from these hand-selected companies and learn how they went from an idea to launch, using the AWS cloud. This exciting hour is your firsthand look at some of the hottest new start-ups, as well as a chance to get access to their new products and features. Whether you’re a booming enterprise or a blossoming start-up, this is a re:Invent activity that’s not to be missed.
In this talk from Ian Amit, he will try to address things from a more tactical (read: practical) perspective for application development. What 'we' see, or want, from a security practitioner perspective is nice, but enabling it from an application view isn't trivial. He'll cover the aspects that the attendees can gain from having applications designed and implemented in certain manners, while of course not changing the way things are being practiced these days (too much). He will also show how logging (yes… plain old boring logging) can go a long way, and how applications that are a bit more self conscience to their state can be utilised to detect attacks before they actually happen.
Keeping it small - Getting to know the Slim PHP micro frameworkJeremy Kendall
Learn what the big deal is about PHP micro frameworks by taking a tour through an application written in Slim PHP. I'll briefly introduce you to some high level concepts, show how those concepts can be implemented in Slim, and see how powerful and elegant micro framework can be.
What it take to move to the next level as a front end developer. Most of the content from this comes from my experience with interviewing @usaa for the past 3 years in san antonio tx (10min Presenation)
Unmasking is the process to remove mask from the face and to reveal the real identity; at defcon17, Robert “RSnake” Hansen & Joshua “Jabra” Abraham have discussed the concept with demonstration
Her ne kadar yazılımların saldırı vektörleri çok fazla olsa da aslında güvenli yazılım geliştirme adına yapılacak pratik çözümler ile çok sayıda uygulama güvenliği problemi ortadan kaldırılabilir. Bu sunum içeriği; güvenli yazılım geliştirme adına yapılması gereken en yaygın 10 pratik çözümü ve örneklerini içeriyor olacaktır.
2009 Barcamp Nashville Web Security 101brian_dailey
A super-brief (25 minute) talk on the basics of web security. A video (with poor audio that doesn't kick in until 9 minutes in, I'm sorry) is available here:
http://www.ustream.tv/recorded/2369801
2nd Annual Start-up Launches with Dr. Werner Vogels (SPOT101) | AWS re:Invent...Amazon Web Services
Attend this fun, fast-paced session and see five AWS-powered start-ups launch on-stage with Amazon.com CTO, Dr. Werner Vogels. You'll hear directly from these hand-selected companies and learn how they went from an idea to launch, using the AWS cloud. This exciting hour is your firsthand look at some of the hottest new start-ups, as well as a chance to get access to their new products and features. Whether you’re a booming enterprise or a blossoming start-up, this is a re:Invent activity that’s not to be missed.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
11. FINAL QUERY
$query = “SELECT * FROM user
WHERE username = ‘root’
AND password = ‘‘ OR 1 = 1 --”;
Saturday, 5 October, 13
12. FINAL QUERY
$query = “SELECT * FROM user
WHERE username = ‘root’
AND password = ‘‘ OR 1 = 1 --”;
Saturday, 5 October, 13
13. PREVENTION
Use an ORM or Database abstraction layer that
provides escaping. Doctrine, ZendTable, and
CakePHP all do this.
Use PDO and prepared statements.
Never interpolate user data into a query.
Never use regular expressions, magic quotes, or
addslashes()
Saturday, 5 October, 13
14. EXAMPLE (PDO)
$query = “SELECT * FROM user
WHERE username = ?
AND password = ?”;
$stmt = $db->prepare($query);
$stmt->bindValue($username);
$stmt->bindValue($password);
$result = $db->execute();
Saturday, 5 October, 13
22. PREVENTION
Rotate session identifiers upon login/logout
Set the HttpOnly flag on session cookies.
Use well tested / mature libraries for authentication.
SSL is always a good idea.
Saturday, 5 October, 13
24. RISKS
Allows bad guys to do things as the person viewing a
page.
Steal identities, passwords, credit cards, hijack pages
and more.
Saturday, 5 October, 13
31. DANGERS
Manually encoding is error prone, and you will make
a mistake.
Using a template library like Twig that provides autoescaping reduces the chances of screwing up.
Encoding is dependent on context.
Saturday, 5 October, 13
35. PREVENTION
Remember hidden inputs are not really hidden, and
can be changed by users.
Validate access to all things, don’t depend on things
being hidden/invisible.
If you need to refer to the current user, use session
data not form inputs.
Whitelist properties any form can update.
Saturday, 5 October, 13
37. RISKS
Default settings can be insecure, and intended for
development not production.
Attackers can use misconfigured software to gain
knowledge and access.
Saturday, 5 October, 13
38. PREVENTION
Know the tools you use, and configure them
correctly.
Keep up to date on vulnerabilities in the tools you
use.
Remove/disable any services/features you aren’t using.
Saturday, 5 October, 13
40. RISKS
Bad guys get credit cards, personal identification,
passwords or health records.
Your company could be fined or worse.
Saturday, 5 October, 13
41. ASSESSING RISK
Do you have sensitive data?
Is it in plaintext?
Any old/bad crypto in use?
Missing SSL?
Who can access sensitive data?
Saturday, 5 October, 13
43. RISKS
Anyone on the internet can request things.
Missing access control could mean bad guys can do
things they shouldn’t be able to.
Saturday, 5 October, 13
46. RISKS
Evil websites can perform actions for users logged
into your site.
Side effects on GET can be performed via images or
CSS files.
Remember the Gmail contact hack.
Saturday, 5 October, 13
51. PREVENTION
Add opaque expiring tokens to all forms.
Requests missing tokens or containing invalid tokens
should be rejected.
Saturday, 5 October, 13
52. SAMPLE CSRF VALIDATION
<?php
if (!$this->validCsrfToken($data, ‘csrf’)) {
throw new ForbiddenException();
}
Saturday, 5 October, 13
54. RISK
Using old busted software can expose you to
documented issues.
CVE databases are filled with version numbers and
matching exploits.
Saturday, 5 October, 13
55. PREVENTION
Do routine upgrades. Keep up to date with all your
software.
Read mailing lists and keep an eye out for security
releases.
Saturday, 5 October, 13