This document discusses Node.js and related technologies. It begins by advertising job opportunities for Node.js developers at Palo Alto Networks in Tel Aviv. It then lists contact information for several people, including Yaron Biton and Amir Jerbi. The document goes on to cover topics like concurrency in Node.js, microservices, and Docker.
Discrete Event Simulation, CASE tool built using C#Ron Perlmuter
SimProject is a computer-aided software engineering tool that allows development of events, procedures & variables using discrete event simulation.
Graphical user interface resembles to Microsoft Visual Studio combined with Visio provides an easy and intuitive way to simulation programming.
SimProject compiles the graphical model to pseudo-code and later interpreters it using Microsoft .NET/C#.
Finally the model is executed and the simulation results are displayed in console. Debugging and step by step execution is also supported.
SimProject was built as part of our final B.Sc. project at BGU in 2005.
For agile development to work well, it is important to have many small stories and many small tasks. This presentation will show how to divide epics into minimal achievable stories and how to decompose stories into minimal achievable tasks.
Driving and virtualizing control systems: the Open Source approach used in Wh...Igalia
Javier Muñoz Mellid and Samuel Iglesias Gonsalvez.
This talk will describe the collaboration between CERN and Igalia around the White
Rabbit project, the value of the Open Source approach and how it crystallizes in upstream
contributions (software and hardware).
Along this talk we will describe in detail how White Rabbit and Open Source projects
are able to raise the quality of the software used, accelerating innovation and gaining addi-
tional contributors.
In the technical arena, we will describe the development of Linux drivers and virtual
hardware (QEMU/KVM) for the FMC/TDC board designed in CERN. This approach was
showcased in LinuxCon 2012, one of the most relevant conferences in the industry. We will
comment about the importance of promoting this kind of technology in industry events.
The talk will finish with a live demo showing how virtual hardware (hardware mimick-
ing real hardware designed by CERN for WhiteRabbit) is used to develop, test and debug
control drivers using a generic software stack.
En este Webinar, IT-NOVA en compañía del INPEC (Instituto Nacional Penitenciario y Carcelario de Colombia) presentarán un caso de éxito donde gracias a TIBCO JASPERSOFT, el INPEC optimizó el análisis de sus datos, mejorando su compresión y presentación de sus reportes y tableros de control hasta el punto de democratizar la información entre todos sus públicos.
Discrete Event Simulation, CASE tool built using C#Ron Perlmuter
SimProject is a computer-aided software engineering tool that allows development of events, procedures & variables using discrete event simulation.
Graphical user interface resembles to Microsoft Visual Studio combined with Visio provides an easy and intuitive way to simulation programming.
SimProject compiles the graphical model to pseudo-code and later interpreters it using Microsoft .NET/C#.
Finally the model is executed and the simulation results are displayed in console. Debugging and step by step execution is also supported.
SimProject was built as part of our final B.Sc. project at BGU in 2005.
For agile development to work well, it is important to have many small stories and many small tasks. This presentation will show how to divide epics into minimal achievable stories and how to decompose stories into minimal achievable tasks.
Driving and virtualizing control systems: the Open Source approach used in Wh...Igalia
Javier Muñoz Mellid and Samuel Iglesias Gonsalvez.
This talk will describe the collaboration between CERN and Igalia around the White
Rabbit project, the value of the Open Source approach and how it crystallizes in upstream
contributions (software and hardware).
Along this talk we will describe in detail how White Rabbit and Open Source projects
are able to raise the quality of the software used, accelerating innovation and gaining addi-
tional contributors.
In the technical arena, we will describe the development of Linux drivers and virtual
hardware (QEMU/KVM) for the FMC/TDC board designed in CERN. This approach was
showcased in LinuxCon 2012, one of the most relevant conferences in the industry. We will
comment about the importance of promoting this kind of technology in industry events.
The talk will finish with a live demo showing how virtual hardware (hardware mimick-
ing real hardware designed by CERN for WhiteRabbit) is used to develop, test and debug
control drivers using a generic software stack.
En este Webinar, IT-NOVA en compañía del INPEC (Instituto Nacional Penitenciario y Carcelario de Colombia) presentarán un caso de éxito donde gracias a TIBCO JASPERSOFT, el INPEC optimizó el análisis de sus datos, mejorando su compresión y presentación de sus reportes y tableros de control hasta el punto de democratizar la información entre todos sus públicos.
En general, los resortes se pueden representar
en vista o en corte. En ambos casos, los
contornos de las espiras se dibujan mediante
líneas rectas que unen las partes del contorno
o sección transversal de la espira
SSH protocol is just like a secure vpn in which you can tunnel your application traffic into ssh protocol using port 22. Although it is considered a secure tunnel, many enterprises have a need to inspect this kind of ssh tunnel. This slide show you on how to decrypt ssh tunnel and detect ssh-tunnel app-id and block it using Palo Alto Networks NGFW.
How to prevent ssh-tunneling using Palo Alto Networks NGFWYudi Arijanto
SSH tunneling is jus like secure vpn in which you can tunneling your application traffic through ssh protocol. From network security point of view, firewall admin can only see ssh tunneling running on port 22 in traditional firewall (port based control). Using NGFW, we can decrypt ssh protocol, and once ssh tunneling detected, we can block it right away.
El fútbol femenino ha evolucionado mucho en los últimos años y la distancia que le separaba del fútbol masculino es corta. Los aficionados son cada vez más conscientes de que las jugadoras son capaces de dar un espectáculo digno de ser visto. Hoy en día es un deporte practicado por muchas mujeres. A continuación Las 3 Mejores Jugadoras de Fútbol en la Historia.
Playing is a core human desire - How social games change the entertainment in...Wooga
Keynote at GDC Europe in Cologne by wooga founder Jens Begemann on August 15th 2011.
* Playing is a core human desire - How social games change the entertainment industry *
'Social' is not just a buzz term in the game world - it is a movement that not only reaches out to new target groups, but will also lead to a transformation of the entire entertainment industry. As computer technology becomes increasingly integrated in our everyday lives, new tech-savvy target markets have emerged, paving the way for an evolution in game design encompassing new genres and wider tastes. In his keynote, Jens Begemann will talk about the success of Social Gaming beyond the game development landscape, and how it is shaping our perceptions about social games, interaction, and human communication.
Jens Begemann shared his ideas and thoughts about the future of social games, and discussed how social interactions in games will deepen and evolve to synchronize with real-time social interaction, therefore becoming communication. He covered how to best bridge the gap between games and social reality by creating games that are fully integrated into the everyday life of everyday people in a fun and meaningful way. On the business side, he also focussed on Monetization, addressing how the free-to-play business model will change as social games become one of the biggest entertainment services by time spend. Begemann will also give personal insights about building wooga, a top three social gaming company, in less than two years.
En general, los resortes se pueden representar
en vista o en corte. En ambos casos, los
contornos de las espiras se dibujan mediante
líneas rectas que unen las partes del contorno
o sección transversal de la espira
SSH protocol is just like a secure vpn in which you can tunnel your application traffic into ssh protocol using port 22. Although it is considered a secure tunnel, many enterprises have a need to inspect this kind of ssh tunnel. This slide show you on how to decrypt ssh tunnel and detect ssh-tunnel app-id and block it using Palo Alto Networks NGFW.
How to prevent ssh-tunneling using Palo Alto Networks NGFWYudi Arijanto
SSH tunneling is jus like secure vpn in which you can tunneling your application traffic through ssh protocol. From network security point of view, firewall admin can only see ssh tunneling running on port 22 in traditional firewall (port based control). Using NGFW, we can decrypt ssh protocol, and once ssh tunneling detected, we can block it right away.
El fútbol femenino ha evolucionado mucho en los últimos años y la distancia que le separaba del fútbol masculino es corta. Los aficionados son cada vez más conscientes de que las jugadoras son capaces de dar un espectáculo digno de ser visto. Hoy en día es un deporte practicado por muchas mujeres. A continuación Las 3 Mejores Jugadoras de Fútbol en la Historia.
Playing is a core human desire - How social games change the entertainment in...Wooga
Keynote at GDC Europe in Cologne by wooga founder Jens Begemann on August 15th 2011.
* Playing is a core human desire - How social games change the entertainment industry *
'Social' is not just a buzz term in the game world - it is a movement that not only reaches out to new target groups, but will also lead to a transformation of the entire entertainment industry. As computer technology becomes increasingly integrated in our everyday lives, new tech-savvy target markets have emerged, paving the way for an evolution in game design encompassing new genres and wider tastes. In his keynote, Jens Begemann will talk about the success of Social Gaming beyond the game development landscape, and how it is shaping our perceptions about social games, interaction, and human communication.
Jens Begemann shared his ideas and thoughts about the future of social games, and discussed how social interactions in games will deepen and evolve to synchronize with real-time social interaction, therefore becoming communication. He covered how to best bridge the gap between games and social reality by creating games that are fully integrated into the everyday life of everyday people in a fun and meaningful way. On the business side, he also focussed on Monetization, addressing how the free-to-play business model will change as social games become one of the biggest entertainment services by time spend. Begemann will also give personal insights about building wooga, a top three social gaming company, in less than two years.
Microservices are not for everyone! If you're a small shop, a monolith provides a great amount of value and reduces the complexities involved. However as your company grows, this monolith becomes more difficult to maintain. We’ll look at how microservices allow you to easily deploy and debug atomic pieces of infrastructure which allows for increased velocity in reliable, tested, and consistent deploys. We’ll look into key metrics you can use to identify the right time to begin the transition from monolith to microservices.
Slides from DockerCon SF 2015 –
Docker at Lyft: Speeding up development w/ Matthew Leventi
Talk description: Learn how Docker enables Lyft to increase developer productivity across our engineering organization. We'll go through a local development model that decreases our developer onboard time, and keeps our teams focused on delivering product goals. We'll also talk about how we use Docker to test changes to our servers and allow QA testing of our mobile clients. You'll come out of the talk with techniques and reasons for integrating docker not just in the cloud but also onto developer's laptops.
A presentation to explain the microservices architecture, the pro and the cons, with a view on how to migrate from a monolith to a SOA architecture. Also, we'll show the benefits of the microservices architecture also for the frontend side with the microfrontend architecture.
Speaker:
Owen Garrett
Sr. Director, Product Management
NGINX, Inc.
On-Deman Link: https://www.nginx.com/resources/webinars/need-service-mesh/
About the webinar:
Service mesh is one of the hottest emerging technologies. Even though it’s a nascent technology, many vendors have already released their implementation. But do you really need a service mesh?
Attend this webinar to learn about the levels of maturity on the journey to modernizing your apps using microservices, and the traffic management approaches best suited to each level. We’ll help you figure out if you really need a service mesh.
The NRB Group mainframe day 2021 - Containerisation on Z - Paul Pilotto - Seb...NRB
Containerization on IBM Z : the notion of containers, their principles, how it works, their benefits on IBM Z and the reasons to adopt containers.
The second part of the presentation focuses on the various solutions available on IBM Z to run and execute your containers at the best place, on IBM Z !
Microservices: How loose is loosely coupled?John Rofrano
Microservice architecture is a popular design pattern for DevOps deployments of cloud native applications. It's single purpose, loosely coupled, bounded context design lends itself to the independent life cycle required to quickly deploy and scale in the cloud. Docker containerization of these services further aids in the zero down-time deployments of these horizontally scalable services. But how do you keep them loosely coupled? How do they communicate without knowing about each other? and how do you keep all of those containers patched from new vulnerabilities that are being discovered every day?
This talk discusses the implementation of a Container Vulnerability Remediation Services that itself is designed as a collection of loosely coupled microservices that communicate via publish/subscribe messaging model using Kafka, Cloud Functions (OpenWhisk), and REST APIs implemented in Python Flask. This design keeps each microservice independent and replaceable, while enabling expandability for new services to participate in business functions without any pre-determined knowledge of the business workflow.
Slides of Maxim Burgerhout from RedHat ( @MaximBurgerhout ). This presentation was given at the Reactive Amsterdam meetup: https://www.meetup.com/Reactive-Amsterdam , in collaboration with GOTO Nights Amsterdam. Recording of the talk is here: https://www.youtube.com/watch?v=X2NFGHQzQok
The new buzz world in the world of Agile is "DevOps". So what exactly is devOps and Why do we need it? When development got married to deployment (sys-admin/operations) ; what is born is a new advanced species which is known to us today as "DevOps"
This presentation gives an overview on how Platform as a Service technology can help you to become an IT manufacturer with highly integrated and greatly automated processes that drive your business forward.
This presentation was held at (W-) JAX 2014 by Jürgen Hoffmann (Red Hat) and Sebastian Faulhaber (Red Hat).
Similar to Node.js meetup at Palo Alto Networks Tel Aviv (20)
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Node.js meetup at Palo Alto Networks Tel Aviv
1. Node.js - concurrency,
microservices, docker
Dreaming on a job at Palo Alto? Get a real one in Palo Alto Networks
Palo Alto Networks TLV is hiring experienced Node.js developers!
Send your CV to: jobs-il@paloaltonetworks.com
&
Yaron Biton Oleg Verhovsky Amir Jerbi
3. My Technology Journey
1986
Commodore 64
Basic
1995
JCL, PL/I
1998
PC
Main Frame C++ & Java
2003
Apps Servers
JEE Architect
2007
Open Source
PHP
2009
Everywhere
Javascript
4. What do I do?
Focused on
Javascript Everywhere
12 weeks bootcamp that qualifies
Full-stack Javascript developers.
• Professional developers training
• High End Consulting
• Outsourcing
5. Its Javascript all the way
Javascript is becoming
an end to end choice for companies
6. ebay: Why we chose node.js? (for a project)
• excellent support for async I/O
• Low per-connection memory overhead
– “We were able to tune a regular developer-quality Ubuntu workstation
to handle more than 120,000 active connections per node.js process,
with each connection consuming about 2k memory”
• The full story: http://www.ebaytechblog.com/2011/11/30/announcing-ql-io/
7. Linkedin: Why we switched from Ruby to node.js?
• Node is optimized for JSON, which was what our backend was
giving us,
as well as what our front end was looking to consume.
• In our use cases, Node was roughly 20 times faster
• Memory footprint is also a factor. We looked at how well VMs
(virtual machines) worked in several languages, and the V8
JavaScript Engine just blew everything else away.
• The extent of code reduction proved to be huge — from
60,000 lines down to 2000.
• Node is getting a lot of hype, that made it easier for me to
recruit.
8. Need for Speed: Groupon Migrated to Node.js
“We’re able to serve much higher traffic,” McCullough said.
Before the change to Node, a Starbucks deal was so popular that
it brought the site down. “The next time, that didn’t happen,”
McCullough said. On top of that, he said, pages now take less
time to load for end users.
http://www.datacenterknowledge.com/archives/2013/12/06/need-speed-groupon-migrated-node-js/
9. Node.js
• Node.js is an open source platform built on Chrome's
JavaScript runtime (V8) for easily building fast,
scalable network applications.
• Node.js uses an event-driven, non-blocking I/O
model that makes it lightweight and efficient,
• Suitable for data-intensive real-time applications that
run across distributed devices.
11. A Simple Node Server
• In this basic web server example, many client connections can
be handled concurrently.
• Node (libuv C module) tells the operating system
that it should be notified when a new connection is made.
• When someone connects, then it executes the callback - Each
connection is only a small heap allocation.
var http = require('http');
http.createServer(function (req, res) {
res.writeHead(200, {'Content-Type': 'text/plain'});
res.end('Hello misterBITn');
}).listen(1337, "127.0.0.1");
console.log('Server running at http://127.0.0.1:1337/');
12. Node.js Efficiency
• Single threaded - nodejs only uses one thread.
• Most APIs are asynchronous by nature,
(i.e. do not perform direct I/O, so the process never blocks.
• Node enjoys memory efficiency under high-load
– Most systems allocate at least 2mb per thread
– You cant dead-lock the process — there are no locks.
13. Node.js Efficiency
no server has the non-
blocking ecosystem of
Node.js today.
Over 50k modules all
written in the async
style, ready to use
14. A Deeper look into Node.js Efficiency
• Actual threads are contained at low level
– and thus remain constrained in size and number,
– and the thread synchronization is thus simplified
• OS-level "switching" via select() is faster than
thread context swaps
(read about the C10K problem here)
• Threads are really hard. Developers are likely to:
– break due to bugs
– not use them as efficiently as possible
15. The Reactor Pattern
The application expresses the interest to access a
resource at one point in time (without blocking) and
provides a handler, which will later be invoked when
the operation completes.
A Node.js application
exits when there are
no more pending
operations in the
Event Demultiplexer,
and no more events
to be processed inside
the Event Queue
16. Libuv - The non-blocking I/O engine of Node.js
• Each operating system has its own interface
for the Event Demultiplexer:
– epoll on Linux, kqueue on Mac OS X, and I/O
Completion Port API (IOCP) on Windows.
• So In Node.js, libuv (a C library), is in charge of
normalizing the non-blocking behavior.
17. Shared-state concurrency is difficult
incorrect synchronization, deadlocks, inconsistent behavior, lost
updates or dirty reads, are all there like an accident waiting to
happen.
Lets put some dead code corps on the table:
• Race Conditions
• None Atomic operations (writing to long!)
• Volatiles
• Write Buffers
• Padding
• ConcurrentCollections, CopyOnWrite,
19. What About CPU Bound Apps?
• If you naively do heavy computation in Node, you suddenly
become a very uncooperative single-tasker.
(i.e. – applying a filter on photo, find primes, etc)
• But there are ways!
• You can sometimes break calculations with setImmediate
i.e. creating a none-blocking-forEach
• We can use the Cluster module and break the server into
micro services
• Sometimes, we can spawn some of the calculations to be
handled on the client side with Web Workers!
25. About Codefresh
A Docker platform for development teams w automated Docker
Flow (Workflow for Docker images).
Build, Run & Test Docker based applications
26. Is “Micro Services Architecture” a
really new concept
Back to “SOA” day :
• Abstract Service Definition
• Agnostic to technological stack
• Decoupled and isolated
Containerization technologies (Docker) provides standard way
to build and deploy services based solutions
27. So what is Micro Service?
Logically / Business wise independent Unit
Deployable
Scalable
28. Micro Services + Docker , in right
place
at right time
Standard creation of deployable units
Ability to deploy images on different environments.
Easy scale of distributed application
Growing tool chain helps to orchestrate containers (SWARM ,
Kubernetes , Mesos)
35. WebUI
CommandLine
API
Team Management
Workflow Manager
Entity Manager
Monitoring
Routing
Template Manager
Integrations (Jira,etc)
Builder
Builder
Runner
Runner
Runner
Build
Mongo Redis
Hosted in Codefresh
Run
WebHook
Local
Registry
DockerHub
Registry
36. Lessons learned
Architecture should evolve over time based on use case and customer feedback.
It will include adding new micro services from one side and rearranging existing
one.
Testing - Make sure that every service testes through unit and API tests.
Development environment - Stable development environment that will enable to
focus on developing specific service without need to setup all system locally
Release process should be adopted and continuously improved.
Continues deployment with an ability to push every micro service in independent
way
Monitoring and logging of both single micro services and consolidate log
37. Release life cycle monolithic vs
microservices
Push1 Push2
V1.0 V1.1 V1.2
Push2
Service 1 V1.0 V1.2 V1.3
Service 2 No change V1.0 No change
Service 3 No change No change V1.0
44. Know Your HTTP Headers
Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
HTTP Headers Why? Example
Strict-Transport-Security Make sure channel is
encrypted. Always.
Strict-Transport-Security: max-
age=16070400;
includeSubDomains
X-Frame-Options Hidden iframes can be used
for clickjacking attacks
X-Frame-Options: deny
X-XSS-Protection Browser based XSS
protection
X-XSS-Protection: 1;
mode=block
X-Content-Type-Options Prevent mime type sniffing X-Content-Type-Options: nosniff
44
45. Secure & Verify Data Received from User
● Sanitize inputs:
○ SQL Injections
○ Form field sanitation
○ URL query string sanitation
● Sign or Encrypt Sensitive Cookie data
● CSRF
References:
https://www.npmjs.com/package/csrf
https://www.npmjs.com/package/sanitize-html
https://www.npmjs.com/package/cookie-encryption
45
46. Authentication
● Complex passwords
● Authenticate your REST API - JSON Web Tokens
● Brute force protection - rate limit authentications
References:
http://passportjs.org/
https://github.com/jhurliman/node-rate-limiter
https://www.npmjs.com/package/owasp-password-strength-test
46
47. Remove Secrets from Your Code!
What are Secrets?
● Hard-coded username and passwords
● Encryption keys
● Access Keys (AWS, Google)
Where to Store them?
● Fetch from Secured location
● Keep in memory, git rid when not needed
● Encrypt
Reference:
https://security.web.cern.ch/security/recommendations/en/password_alternatives.sht
ml
https://square.github.io/keywhiz/
47
49. What are Software Containers?
Server Virtualization method that
is:
● Lightweight, has a small
footprint
● Allows running multiple
isolated processes on a shared
kernel (OS)
● Little to no overhead
49
51. How Easy it is? Very.
● Ready made NodeJS packages from https://dockerhub.com
● No need to install or configure - simply run it...
51
52. Build - Deploy - Run
● Create a Dockerfile to
automate build of your
application.
● Easily run as daemon using
“docker run -d” command.
52
53. Security Benefits of Containers
● Better control on dependencies: ship your code with its packages
● Compromised applications are still contained within container
boundaries
● Built-in mechanisms to identify changes in container
● Better control on your deployment environment
53
57. Common Vulnerabilities and Exposures (CVEs)
● Almost every software package has security issues.
● The older the package is - the chances it has more issues.
● Node nsp can be used to find vulnerable npm packages.
References:
https://web.nvd.nist.gov/view/vuln/search
https://nodesecurity.io/tools
57
60. Summary
● Containers are not the cure for everything.
Good programming is still the basis for good security.
Take a look at OWASP top 10 vulnerabilities:
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
● CVEs are serious problem. Make sure you have a process to manage
them.
● Containers adds to your visibility and control - better manage
what’s being deployed.
● If you’ve been hacked then at least compromised code is running
inside a container.
60
62. Node.js - concurrency,
microservices, docker
Dreaming on a job at Palo Alto? Get a real one in Palo Alto Networks
Palo Alto Networks TLV is hiring experienced Node.js developers!
Send your CV to: jobs-il@paloaltonetworks.com
&
Yaron Biton Oleg Verhovsky Amir Jerbi