I gave this talk during first Infosec meetup in Kraków/Poland on 13th March 2014. After viewing this presentation you'll know how and why you should use SELinux (or others LSMs).
Atmosphere 2014: Scaling and securing node.js apps - Maciej LasykPROIDEA
After few years of node.js in operation we know it's very fast. We all heard stories about backend services running with the help of node.js and V8 core. But what we have learned about the security of such applications? What are the major threats here? I'll explain how to create node.js apps in a secure and reliable way. Also - I'll show how those could be scaled easily with (or without) help of Linux containers (Docker based) or jail - systems like Selinux Sandbox or libvirt sandbox.
Maciej Lasyk - I've been working in IT Operations for the last 14 years. I've seen how infrastructures raised and failed, how great minds worked on scalability and kept the high pace of their platforms. I've been scaling and securing webapps since many years; within Ganymede company, now with Lumesse and Fedora Project. I'm Open Source contributor, enthusiast and evangelist. I also support security projects like OWASP. You can catch me on Twitter @docent_net and also see my work in github @docent-net and my personal blog.
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019Matt Raible
Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure.
This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more!
You’ll learn how to add these features to a real application, using the Java language you know and love.
* YouTube video: https://www.youtube.com/watch?v=PpqNMhe4Bd0
* Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
* Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
Now that we have passed “peak orchestrator” and as Kubernetes eats the world, we are left wondering: how secure is Kubernetes? Can we really run Google-style multi tenanted infrastructure safely? And how can we be sure what we configured yesterday will be in place tomorrow? In this talk we discuss: - the Kubernetes security landscape - risks, security models, and configuration best-practices - how to configure users and applications with least-privilege - how to isolate and segregate workloads and networks - hard and soft multi-tenancy - Continuous Security approaches to Kubernetes.
I gave this talk during first Infosec meetup in Kraków/Poland on 13th March 2014. After viewing this presentation you'll know how and why you should use SELinux (or others LSMs).
Atmosphere 2014: Scaling and securing node.js apps - Maciej LasykPROIDEA
After few years of node.js in operation we know it's very fast. We all heard stories about backend services running with the help of node.js and V8 core. But what we have learned about the security of such applications? What are the major threats here? I'll explain how to create node.js apps in a secure and reliable way. Also - I'll show how those could be scaled easily with (or without) help of Linux containers (Docker based) or jail - systems like Selinux Sandbox or libvirt sandbox.
Maciej Lasyk - I've been working in IT Operations for the last 14 years. I've seen how infrastructures raised and failed, how great minds worked on scalability and kept the high pace of their platforms. I've been scaling and securing webapps since many years; within Ganymede company, now with Lumesse and Fedora Project. I'm Open Source contributor, enthusiast and evangelist. I also support security projects like OWASP. You can catch me on Twitter @docent_net and also see my work in github @docent-net and my personal blog.
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019Matt Raible
Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure.
This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more!
You’ll learn how to add these features to a real application, using the Java language you know and love.
* YouTube video: https://www.youtube.com/watch?v=PpqNMhe4Bd0
* Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
* Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
Now that we have passed “peak orchestrator” and as Kubernetes eats the world, we are left wondering: how secure is Kubernetes? Can we really run Google-style multi tenanted infrastructure safely? And how can we be sure what we configured yesterday will be in place tomorrow? In this talk we discuss: - the Kubernetes security landscape - risks, security models, and configuration best-practices - how to configure users and applications with least-privilege - how to isolate and segregate workloads and networks - hard and soft multi-tenancy - Continuous Security approaches to Kubernetes.
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps.
The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them?
If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!
Chris Rutter: Avoiding The Security BrickMichael Man
DevSecOps - London Gathering (March 2019)
This is a continuation of Chris Rutter's security talks (typically focused around Threat Modelling). In this talk Chris will explore real techniques, both technical and organisational, to introduce security into DevOps without hitting people with bricks [Not literally].
Cloud native applications are popular these days – applications that run in the cloud reliably und scale almost arbitrarily. They follow three key principles: They are built and composed as microservices, they are packaged and distributed in containers and the containers are executed dynamically in the cloud. In this hands-on session we will show how to build, package and deploy cloud native Java EE applications on top of DC/OS - fully automated with Gradle using cloud native infrastructure like Consul, Fabio, Hystrix and Prometheus. And for the fun of it we will be using an off-the-shelf DJ pad, programmed with nothing else than the Java Sound API, to demonstrate the core concepts and to visualize and remote control DC/OS.
Cloud Compliance with Open Policy AgentQAware GmbH
Cloud Native Virtual Summit featuring Kubernetes, April 2020,
talk by Alex Krause (@alex0ptr, Software Engineer at QAware)
== Please download slides if blurred! ==
Abstract: Microservices distribute the complexity of applications into smaller processes and infrastructure. In conclusion policies for encyrption, cost labelling or access control become decentralized too. The already complex components of a cloud-native application, such as container orchestration, IaaS components and CI/CD pipelines, complicate the technically uniform definition of these guidelines further.
OPA (Open Policy Agent) is a CNCF tool to define and check policies. What makes opa special is the easy integration into cloud-native environments in combination with rego, a universal logical programming language which allows defining policies across technology boundaries. This technical presentation is an introduction into OPA and demonstrates typical use-cases.
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
Security Rationale For Istio
An introduction to Istio security, looking at how Istio helps to keeps your security team happy by satisfying Kubernetes security requirements for multi-tenancy, and your developers happy by reducing implementation effort. Istio is still an evolving technology, and outstanding issues and impending improvements will be discussed.
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
Presented at All Things Open
Presented by Mark Voelker with VMware
10/23/18 - 3:00 PM - Networking/Infrastructure track
For more by Mark Voelker: https://www.slideshare.net/markvoelker
ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven V...Cyber Security Alliance
New technologies are a good thing as they drive innovation. Especially in the web world, innovation is what lead to todays popularity of Sites like Google, Twitter and Facebook. Regarding security, new technologies also come with the possibility to avoid known security issues already in the design of a technology or for example a new programming language. Unfortunately most of the time, security is not a main focus and therefor also known faults are done over and over again. In addition to this, new technologies also tend to invent new vulnerability classes or at least open new ways to exploit known security issues.
In this talk I’ll take as a practical example the Node (Node.js) project which allows server side non-blocking JavaScript development. It’s great to have the same language for the frontend as for the backend as it makes things much easier to connect and also the frontend and backend developers can better understand each others work. Many people still think about JavaScript as static *.js files somewhere in a web accessible directory which is not security relevant as it’s static. This is simply not the case. In the past there where already a lot of reported security problems in JavaScript so the question is: Will those problems also affect Node? I will answer this and more questions during the talk but be assured, we’ll end up with a reverse shell
What is Google Cloud Good For at DevFestInspire 2021Robert John
My presentation at DevFestLagos on "What is Google Cloud Good For". It's an overview of the Google Cloud Platform for those unfamiliar with it. You can watch the session here: https://www.youtube.com/watch?v=wi-p8fqFLrU
FabLab Bassa Romagna e ImoLUG nell'ambito del gruppo di lavoro su Linux, organizzano una serata dedicata alla Sicurezza Informatica; è un tema attuale, importante, ma molto sottovalutato.
Nella serata illustreremo come è possibile costruire un proprio Hacking Lab per imparare e testare localmente i principali software di IT Security. Sfrutteremo pertanto l'ambiente di virtualizzazione ProxMox per virtualizzare il sistema operativo vulnerabile Metaspoitable, sistema sviluppato dalla nota Radid7. Grazie a BackBox Linux analizzeremo la distribuzione vulnerabile alla ricerca di dettagli e di exploit da sfruttare.
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps.
The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them?
If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!
Chris Rutter: Avoiding The Security BrickMichael Man
DevSecOps - London Gathering (March 2019)
This is a continuation of Chris Rutter's security talks (typically focused around Threat Modelling). In this talk Chris will explore real techniques, both technical and organisational, to introduce security into DevOps without hitting people with bricks [Not literally].
Cloud native applications are popular these days – applications that run in the cloud reliably und scale almost arbitrarily. They follow three key principles: They are built and composed as microservices, they are packaged and distributed in containers and the containers are executed dynamically in the cloud. In this hands-on session we will show how to build, package and deploy cloud native Java EE applications on top of DC/OS - fully automated with Gradle using cloud native infrastructure like Consul, Fabio, Hystrix and Prometheus. And for the fun of it we will be using an off-the-shelf DJ pad, programmed with nothing else than the Java Sound API, to demonstrate the core concepts and to visualize and remote control DC/OS.
Cloud Compliance with Open Policy AgentQAware GmbH
Cloud Native Virtual Summit featuring Kubernetes, April 2020,
talk by Alex Krause (@alex0ptr, Software Engineer at QAware)
== Please download slides if blurred! ==
Abstract: Microservices distribute the complexity of applications into smaller processes and infrastructure. In conclusion policies for encyrption, cost labelling or access control become decentralized too. The already complex components of a cloud-native application, such as container orchestration, IaaS components and CI/CD pipelines, complicate the technically uniform definition of these guidelines further.
OPA (Open Policy Agent) is a CNCF tool to define and check policies. What makes opa special is the easy integration into cloud-native environments in combination with rego, a universal logical programming language which allows defining policies across technology boundaries. This technical presentation is an introduction into OPA and demonstrates typical use-cases.
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
Security Rationale For Istio
An introduction to Istio security, looking at how Istio helps to keeps your security team happy by satisfying Kubernetes security requirements for multi-tenancy, and your developers happy by reducing implementation effort. Istio is still an evolving technology, and outstanding issues and impending improvements will be discussed.
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
Presented at All Things Open
Presented by Mark Voelker with VMware
10/23/18 - 3:00 PM - Networking/Infrastructure track
For more by Mark Voelker: https://www.slideshare.net/markvoelker
ASFWS 2012 - Node.js Security – Old vulnerabilities in new dresses par Sven V...Cyber Security Alliance
New technologies are a good thing as they drive innovation. Especially in the web world, innovation is what lead to todays popularity of Sites like Google, Twitter and Facebook. Regarding security, new technologies also come with the possibility to avoid known security issues already in the design of a technology or for example a new programming language. Unfortunately most of the time, security is not a main focus and therefor also known faults are done over and over again. In addition to this, new technologies also tend to invent new vulnerability classes or at least open new ways to exploit known security issues.
In this talk I’ll take as a practical example the Node (Node.js) project which allows server side non-blocking JavaScript development. It’s great to have the same language for the frontend as for the backend as it makes things much easier to connect and also the frontend and backend developers can better understand each others work. Many people still think about JavaScript as static *.js files somewhere in a web accessible directory which is not security relevant as it’s static. This is simply not the case. In the past there where already a lot of reported security problems in JavaScript so the question is: Will those problems also affect Node? I will answer this and more questions during the talk but be assured, we’ll end up with a reverse shell
What is Google Cloud Good For at DevFestInspire 2021Robert John
My presentation at DevFestLagos on "What is Google Cloud Good For". It's an overview of the Google Cloud Platform for those unfamiliar with it. You can watch the session here: https://www.youtube.com/watch?v=wi-p8fqFLrU
FabLab Bassa Romagna e ImoLUG nell'ambito del gruppo di lavoro su Linux, organizzano una serata dedicata alla Sicurezza Informatica; è un tema attuale, importante, ma molto sottovalutato.
Nella serata illustreremo come è possibile costruire un proprio Hacking Lab per imparare e testare localmente i principali software di IT Security. Sfrutteremo pertanto l'ambiente di virtualizzazione ProxMox per virtualizzare il sistema operativo vulnerabile Metaspoitable, sistema sviluppato dalla nota Radid7. Grazie a BackBox Linux analizzeremo la distribuzione vulnerabile alla ricerca di dettagli e di exploit da sfruttare.
"Black Clouds and Silver Linings in Node.js Security" Liran TalJulia Cherniak
Remember eslint-scope and event-stream incidents? As an energetic member of the Node.js Foundation's Security Working Group, Liran will provide a 360 perspective of some black clouds of security horror stories in the JavaScript & Node.js ecosystem and educate on mitigating and building secure applications. We will deep-dive into practical Node.js vulnerabilities and how to protect against them, and cover some of OWASP Top 10. Liran will also introduce initiatives the Node.js Security WG have been undertaking to secure the ecosystem and recent security updates in npm.
Derek Willian Stavis (Pagar.me)
Todo mundo diz que Webpack é só um module bundler. Mas o que é um módulo? O que é um bundler? Porque precisamos disso? Vamos caminhar pela história do desenvolvimento web para entender estes conceitos, e no final vamos dissecar a configuração e o output do Webpack para entendermos como ele funciona e como ele pode facilitar o seu processo de desenvolvimento.
Vale do Carbono Conference
Webpack is just a module bundler, they said. What they didn't say is why we need it, and what was the motivation that made us achieve what Webpack have been doing for us. In this talk we will navigate through the years of front-end development, ranging from 2003 to nowadays to understand this, and in the end, we will walk thought a complete Webpack project to understand how it works.
These are slides from a class I presented alumni and incoming students at the Austin Center for Design. The goal was to provide an over view of software application development (architecture, languages, frameworks), how to augment your development with other people of shops, and some basic techniques for scaling up.
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.
RSAC 2017
Ken Johnson & Chris Gates
Slides for the PromCon presentation "Securing Prometheus. Lessons Learned From OpenShift"
https://promcon.io/2022-munich/talks/securing-prometheus-lessons-lear/
Topics covered in this presentation, which was used for user group meetings, conferences & webinars:
1. Galera Cluster for MySQL - overview
2. Release 3 New Features:
* WAN Replication
* 5.6 Global Transaction ID (GTID) Support
* MySQL Replication Support
* and more features
3. The Galera Cluster Project
Orchestrating docker containers at scale (#DockerKRK edition)Maciej Lasyk
Slightly different version (original is here http://www.slideshare.net/d0cent/orchestrating-docker-containersatscale). This version was presented during first #Docker meetup in Kraków / Poland.
Orchestrating docker containers at scale (PJUG edition)Maciej Lasyk
Slightly changed version (original is here http://www.slideshare.net/d0cent/orchestrating-docker-containersatscale). This version was presented during Polish Java User Group meetup JavaCamp#13 in Kraków / Poland.
Orchestrating Docker containers at scaleMaciej Lasyk
Many of us already poked around Docker. Let's recap what we know and then think what do we know about scaling apps & whole environments which are Docker - based? Should we PaaS, IaaS or go with bare? Which tools to use on a given scale?
Slides from the talk I gave during 2014 edition of IT Night. This lecture is about working in terminal: from choosing a term through picking proper shell, applications and finally finishes on GitHub project which covers this talks' topics.
High Availability (HA) Explained - second editionMaciej Lasyk
I gave this talk at one of the biggest Linux conferences in Poland: 11 Liux Session that took place in Wrocław on 5/6-04-2014. It was a lightning talk covering subject of High Availability solutions, architecture, planning and deploying.
How could one create very sophisticated, open - source based monitoring solution that is very scalable and easy to deploy?
I gave this talk during on of the biggest Linux conferences in Poland: 11 Linux Session which took place in Wrocław on 5/6-04-2013
Is Red Hat / Fedora / Centos ready for lightweight Docker containers? Is Docker secure enough? How about SELinux? How could we deploy Jboss or Django within Docker / RHEL?
I gave this talk at DevOPS meetup in Krakow at 2014-02-26.
I gave this talk at Krakow/Poland DevOPS meetup. It was a lightning talk covering subject of High Availability solutions, architecture, planning and deploying.
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th Octomber 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th October 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Neuro-symbolic is not enough, we need neuro-*semantic*
Node.js security
1. Maciej Lasyk, node.js security
Maciej Lasyk
SEConference
Kraków, 2014-05-09
node.js security
2. Sysadmin about node.js security?
- not only sysadmin ;)
- node needs thorough understanding of whole infra
- 14+ years of exp software dev. / sysop
- currently “noding” 4 prv & Fedora
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
3. JS security recap – evals & co
eval() like fncs takes string argument and
evalute those as source code
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
4. JS security recap – evals & co
eval() like fncs takes string argument and
evalute those as source code
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
srsly – who does that?
Maciej Lasyk, node.js security
5. JS security recap – evals & co
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
var x = req.body.x;
var y = req.body.y;
var sum = eval(a + "+" + b);
Maciej Lasyk, node.js security
6. JS security recap – evals & co
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
var x = req.body.x;
var y = req.body.y;
var sum = eval(a + "+" + b);
what if attacker fills 'x' with:
some.super.class.wipe.the.database('now');
LOL :)
Maciej Lasyk, node.js security
7. JS security recap – evals & co
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
not only evals:
setInterval(code,2)
setTimeout(code,2)
str = new Function(code)
Chrome CSP denies those also :)
Maciej Lasyk, node.js security
8. JS security recap – global namespace pollution
- node.js is single threaded
- all variable values are common
- one could thrtically change bhv of others reqs
- watch out for globals then!
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
9. JS security recap – global namespace pollution
some very awful example:
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
var auth = false;
app.get('/auth', function(req, res) {
if(legit) { auth = true; res.send("success");
});
app.get('/payments-db', function(req, res) {
if (auth) res.send("legit to see all payments data");
else res.send("not logged in");
})
app.listen(8080);
Maciej Lasyk, node.js security
10. JS security recap – global namespace pollution
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
So now imagine..
global namespace pollution + evals & co
Maciej Lasyk, node.js security
11. JS security recap – global namespace pollution
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
So now imagine..
global namespace pollution + evals & co
Maciej Lasyk, node.js security
12. JS security recap – global namespace pollution
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
So now imagine..
global namespace pollution + evals & co
Watch out who you are hiring
Maciej Lasyk, node.js security
13. JS security recap – strict mode
- let's throw all errors!
- declare variables!
- global namespaces help
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
14. JS security recap – strict mode
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
"use strict";
function testFunction(){
var testvar = 4;
return testvar;
}
// This causes a syntax error.
testvar = 5;
Maciej Lasyk, node.js security
15. JS security recap – strict mode
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
// This causes a syntax error:
"use strict";
testvar = 5;
// This is ok:
"use strict";
var testvar = 0;
testvar = 5;
Maciej Lasyk, node.js security
16. JS security recap – strict mode
- evals & co are not that insecure now
- no access to caller and args props
- enable globally or for some scope
- what about strict mode in 3rd
party mods?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
17. JS security recap – strict mode
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
"use strict";
function do_smt() {
do_smt.caller; // no way :)
do_smt.arguments; // no way :)
}
Maciej Lasyk, node.js security
23. JS security recap – static code analysis
- If not doing it already – just do
- Commit hooks in (D)VCSes
- JSHint / JSLint
- Create policy for static code analysis
- Update & check this policy regularly
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
24. about node.js: what's up?
- current stable version 0.10.28
- who is using node?
https://github.com/joyent/node/wiki/Projects,-Applications,-and-Companies-Using-Node
- Operating Node.js in production/Bryan Cantrill (Joyent)
- Bill Scott,“Clash of the Titans: Kraken | Node.js @ paypal”
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
25. about node.js: model
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
26. about node.js: concurrency
- node.js is single threaded (let's say)
- multi – core? child processes (cluster.fork)
- Linux containers ftw!
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
27. about node.js: SPA
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
(thx Sekurak.pl for this image)
Maciej Lasyk, node.js security
30. node.js sec: exploits anyone?
- http://seclists.org/bugtraq – 0 hits
- http://osvdb.org – 2 hits
- http://1337day.com, http://www.exploitdb.com – 1 hit
- http://nodesecurity.io/advisories – 4 hits
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
Such security big?
not exactly
Maciej Lasyk, node.js security
31. node.js sec: what's wrong?
node.js security is a blank page
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
http://www.slideshare.net/ASF-WS/asfws-2012-nodejs-security-old-vulnerabilities-in-new-dresses-par-sven-vetsch
Maciej Lasyk, node.js security
32. node.js sec: how does sec look like?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
33. node.js sec: how does sec look like?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
Such security..Such security..
Very fortress!!1Very fortress!!1
WOW :)WOW :)
Maciej Lasyk, node.js security
34. node.js sec: exceptions / callbacks
callbacks Error object – remember to handle those
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
var fs = require("fs");
fs.readFile("/some/file", "utf8", function (err, contents) {
// err will be null if no error occured
// ... otherwise there will be info about error
});
forget about handling and die debugging
Maciej Lasyk, node.js security
35. node.js sec: exceptions / eventemitter
EventEmitter: emitting events 4 async actions
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
var http = require("http");
http.get("http://nodejs.org/", function (res) {
res.on("data", function (chunk) {
do_something_with_chunk;
});
res.on("error", function (err) {
// listener handling error
});
});
Attach listeners to errors events or
welcome unhandled exception!
Maciej Lasyk, node.js security
36. node.js sec: uncaught exceptions
- by default node.js will print stack trace and terminate thread
- EventEmitter / process / uncaughtException
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
// it looks like this by default:
process.on("uncaughtException", function (err) {
console.error(err);
console.trace();
process.exit();
});
Maciej Lasyk, node.js security
37. node.js sec: uncaught exceptions
- by default node.js will print stack trace and terminate thread
- EventEmitter / process / uncaughtException
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
// it looks like this by default:
process.on("uncaughtException", function (err) {
console.error(err);
console.trace();
process.exit();
});
So do you really want to comment out the 'process.exit()' line?
Maciej Lasyk, node.js security
38. node.js sec: clusters
scaling within multi-core envs
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
var cluster = require('cluster');
var http = require('http');
var numCPUs = require('os').cpus().length;
if (cluster.isMaster) {
for (var i = 0; i < numCPUs; i++) {
cluster.fork();
}
cluster.on('exit', function(worker, code, signal) {
console.log(worker.process.pid + ' died');
});
} else {
http.createServer(function(req, res) {
res.writeHead(200);
res.end("hello worldn");
}).listen(8000);
}
Maciej Lasyk, node.js security
39. node.js sec: domains
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
Handling multiple different IO operations as a single group
// don't do that:
var d = require('domain').create();
d.on('error', function(er) {
console.log('error, but oh well', er.message);
});
d.run(function() {
require('http').createServer(function(req, res) {
handleRequest(req, res);
}).listen(PORT);
});
Maciej Lasyk, node.js security
40. node.js sec: domains
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
Rather use cluster & forks and exit gently..:
create_cluster;
fork_workers;
if(worker){
var domain = require('domain');
var server = require('http').createServer(function(req, res) {
var d = domain.create();
d.on('error', function(er) {
console.error('error', er.stack);
try {
// set timeout timer
// update master && print err msg
// close server
} catch (er2) { console.error('Error 500!', er2.stack); }
}
Maciej Lasyk, node.js security
41. node.js sec: domains
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
Using Express take look at that:
https://github.com/brianc/node-domain-middleware
Assigning each Express request to a separate domain?
Maciej Lasyk, node.js security
42. node.js sec: npm modules
- npm install (-g)
- who creates modules?
- who verifies those?
- how to update?
- semantic versioning in package.json
- "connect":"~1.8.7" -> 1.8.7 - 1.9
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
44. node.js sec: npm modules
The scale of npm modules
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
45. node.js sec: npm modules
Comparison to other langs (mods/day):
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
46. node.js sec: npm modules
Remember:
- use strict?
- static analysis?
- does include some test suite?
- what is the dependency tree?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
47. node.js.express: connect / express
Express – web dev framework
Built on top of connect
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
48. node.js.express: auth.basic_auth
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
var express = require('express'),
app = express();
app.use(express.basicAuth("user", "pwd"));
app.get("/", function (req, res) {
res.send('Hello World');
});
app.listen(8080);
Plain text and simple auth issues
Maciej Lasyk, node.js security
62. node.js.CSI: XSS
- XSS allows to access cookies, session tokens etc
- or even redirect user to malicious sites
- Myth: frameworks / tpls does the anti-XSS job
- always encode untrusted data for correct context
- OWASP ESAPI
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
63. node.js.CSI: DoS
- Error handling
- Use streams / chunking
- Use monitoring
- Use domains / clusters
- Don't be afraid of SlowLoris :)
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
64. node.js.CSI: ReDoS
- Regex could take exponential execution time
- Is regex executed in the event loop thread?
- Regex and user input?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
https://speakerdeck.com/ckarande/top-overlooked-security-threats-to-node-dot-js-web-applications
Maciej Lasyk, node.js security
65. node.js.CSI: HPP
HTTP Parameter Pollution
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
// POST firstName=John&firstName=John
req.body.color
//=> [“John”, “John”]
Maciej Lasyk, node.js security
66. node.js.CSI: HPP
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
Modify app behavior:
Maciej Lasyk, node.js security
67. node.js.CSI: HPP
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25
- TypeErrors, uncaught errs->DoS,
- Check the expected type in the input validation
- Input fuzzing / test suites
- try/catch, domains, clusters
Maciej Lasyk, node.js security
73. node.js.CSI: request_size
Just set limits
use streams instead of buffering
And request size:
app.use(express.limit("5mb"));
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
74. node.js.CSI: environment.monitoring
- is app functional? :)
- is app overloaded?
- app should provide monitoring interface
- how many errors caught?
- are forks alive and OK?
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security
75. node.js.CSI: environment.resources
- node.js will eat ;)
- use control groups || containers
- monitor resources usage
Maciej Lasyk, Ganglia & Nagios 3/25Maciej Lasyk, node.js security 1/25Maciej Lasyk, node.js security