• Securing messages between clients and services is essential to protecting data. The Windows Communication Foundation (WCF) provides a versatile and interoperable platform for exchanging secure messages based upon both the existing security infrastructure and the recognized security standards for SOAP messages. In this session learn how to use WCF for transfer security and access control using familiar technologies such as HTTPS, Windows integrated security, X.509 certificates, SAML, and usernames and passwords, and also new technologies such as Windows CardSpace. This session also discusses how to extend WCF security to support custom security tokens, custom authentication methods, claims-based authorization, claims transformation, and custom principals.
It is an IETF standardization initiative whose goal is to come out with an Internet standard Version of SSL. The presentation discusses all. Happy Learning. :)
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
Cross Site Scripting (XSS) is a vulnerability of a Web Application that is essentially caused by the failure of the application to check up on user input before returning it to the client’s web browser. Without an adequate validation, user input may include malicious code that may be sent to other clients and unexpectedly executed by their browsers, thus causing a security attack.
Techniques to prevent this type of attacks require that all application input must be checked up and filtered, encoded, or validated before sending them to any user. In order to discover the XSS vulnerabilities in a Web application, traditional source code analysis techniques can be exploited. In this paper, in order to assess the XSS vulnerability of a Web application, an approach that combines static and dynamic analysis of the Web application is presented. Static analysis based criteria have been defined to detect potential vulnerabilities in the server pages of a Web application, while a process of dynamic analysis has been proposed in order to detect actual vulnerabilities. Some case studies have been carried out, giving encouraging results.
It is an IETF standardization initiative whose goal is to come out with an Internet standard Version of SSL. The presentation discusses all. Happy Learning. :)
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
Cross Site Scripting (XSS) is a vulnerability of a Web Application that is essentially caused by the failure of the application to check up on user input before returning it to the client’s web browser. Without an adequate validation, user input may include malicious code that may be sent to other clients and unexpectedly executed by their browsers, thus causing a security attack.
Techniques to prevent this type of attacks require that all application input must be checked up and filtered, encoded, or validated before sending them to any user. In order to discover the XSS vulnerabilities in a Web application, traditional source code analysis techniques can be exploited. In this paper, in order to assess the XSS vulnerability of a Web application, an approach that combines static and dynamic analysis of the Web application is presented. Static analysis based criteria have been defined to detect potential vulnerabilities in the server pages of a Web application, while a process of dynamic analysis has been proposed in order to detect actual vulnerabilities. Some case studies have been carried out, giving encouraging results.
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
As some of my colleagues are solving various SSL/TLS problems for one of our customers, I have prepared the above mentioned training for them. The training is divided to three parts:
- Brief Introduction to Public Key Infrastructure (PKI)
- Introduction to SSL/TLS Protocols
- Practical Examples and Hints
The last part primarily consists of hands-on exercises with Wireshark, covering variety of successful and failed SSL/TLS handshakes. The hands-on exercises are based on easily configurable dummy SSL client and server implemented in Java (available at https://github.com/Jardo72/SSL-Sandbox).
Building Services: .NET FX 3.5, SOAP, REST, and Beyond
Most developers will be aware of various Microsoft technologies to help build SOAP services, the latest of which are WCF and WF in .NET FX 3.5, but there’s another world of services outside SOAP. Recently Microsoft has been very active in its support for, and use of, REST as a mechanism for implementing services. This event will cover recent and forthcoming technologies for building services with SOAP and REST, and we’ll explain REST for the uninitiated.
Agenda:
Session 1: The SOAP Story
In this session we’ll do a lighting quick re-cap of what SOAP is, what specs surround it before looking at how far the SOAP programming model has come in Microsoft’s latest-and-greatest stack – Windows Communication Foundation (WCF) V3.5. We’ll talk about different approaches to building services and we’ll take a good look at the integration between WCF V3.5 and Windows Workflow Foundation (WF) V3.5 which opens up a whole new way of implementing services.
Session 2: Time for a REST
Web applications have evolved; using technologies like AJAX and Silverlight they have rich client-side code that wants to consume services, but they prefer JSON, “plain xml” and REST. In this session we’ll introduce REST for the uninitiated, and we’ll demonstrate some of the new and forthcoming technology that Microsoft has for working with REST: WCF 3.5, Web3S, Windows Live Data, and Codename “Astoria”.
For more details and the original slidedeck visit http://www.microsoft.com/uk/msdn/events/new/Detail.aspx?id=316
Carole Elliott is an Australian Artist who specialises in seascapes and ocean life. Here she is sharing a work-in-progress of one of her acrylic paintings "Perfect Day".
To see more of her paintings visit her website at www.carolelliott7.com.
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesJaroslavChmurny
As some of my colleagues are solving various SSL/TLS problems for one of our customers, I have prepared the above mentioned training for them. The training is divided to three parts:
- Brief Introduction to Public Key Infrastructure (PKI)
- Introduction to SSL/TLS Protocols
- Practical Examples and Hints
The last part primarily consists of hands-on exercises with Wireshark, covering variety of successful and failed SSL/TLS handshakes. The hands-on exercises are based on easily configurable dummy SSL client and server implemented in Java (available at https://github.com/Jardo72/SSL-Sandbox).
Building Services: .NET FX 3.5, SOAP, REST, and Beyond
Most developers will be aware of various Microsoft technologies to help build SOAP services, the latest of which are WCF and WF in .NET FX 3.5, but there’s another world of services outside SOAP. Recently Microsoft has been very active in its support for, and use of, REST as a mechanism for implementing services. This event will cover recent and forthcoming technologies for building services with SOAP and REST, and we’ll explain REST for the uninitiated.
Agenda:
Session 1: The SOAP Story
In this session we’ll do a lighting quick re-cap of what SOAP is, what specs surround it before looking at how far the SOAP programming model has come in Microsoft’s latest-and-greatest stack – Windows Communication Foundation (WCF) V3.5. We’ll talk about different approaches to building services and we’ll take a good look at the integration between WCF V3.5 and Windows Workflow Foundation (WF) V3.5 which opens up a whole new way of implementing services.
Session 2: Time for a REST
Web applications have evolved; using technologies like AJAX and Silverlight they have rich client-side code that wants to consume services, but they prefer JSON, “plain xml” and REST. In this session we’ll introduce REST for the uninitiated, and we’ll demonstrate some of the new and forthcoming technology that Microsoft has for working with REST: WCF 3.5, Web3S, Windows Live Data, and Codename “Astoria”.
For more details and the original slidedeck visit http://www.microsoft.com/uk/msdn/events/new/Detail.aspx?id=316
Carole Elliott is an Australian Artist who specialises in seascapes and ocean life. Here she is sharing a work-in-progress of one of her acrylic paintings "Perfect Day".
To see more of her paintings visit her website at www.carolelliott7.com.
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is claims based authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.
Session I delivered at Oredev, with some updates, more detail, reviewing all of the security standards including ws-federation, saml, ws-trust, oauth,openID connect.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
The Art of the Pitch: WordPress Relationships and Sales
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)
1.
2. Building Secure Web Services Using Windows Communication Foundation Petar Vucetin Senior Software Engineer Vertigo Session Code: SOA312
3. Agenda Learn how to use standard WCF security mechanisms correctly Understand appropriate scenarios for the various WCF security options Understand how to extend WCF security for custom applications
4.
5.
6. Threat Modeling CIA Confidentiality Integrity Availability STRIDE Spoofing Tampering Repudiation Information Disclosure DoS Elevation of Privilege
7. Security Confidentiality Content of the message is kept secret Integrity Confidence that message received is the same that sender sent Authentication Confidence that we know caller identity Confidentiality and Integrity useless without authenticity
8. WCF Out of the box experience Defaults to secure mode Claim-based Internet, Intranet and custom security scenarios Secure conversations Transfer Message integrity and protection Mutual Authentication (client->service, service-> client) Authorization
9. Service Identity Caller Identity Message (WS*) Host WCF Service A B C A B C Claims Policy Transport (TLS, SSL, IPSec) Caller Service Trust Address – Where? A Binding – How? B Contract – What? C
10. Transport Security Prevents eavesdropping, tampering, and message forgery Point-to-Point communication SSL over HTTP TLS over TCP Provides endpoint authentication and communications privacy using cryptography. IPSEC/L2TP Transport (TLS, SSL, IPSec) A B C A B C Caller Service
11. Message WS-Security SOAP Envelope Security Token SOAP Header Timestamp Misc. Headers Signature Security Header Encrypted Key Encrypted Data SOAP Body Data
12. Message Security Message (WS*) Caller Service Transport independent Uses SOAP / WS-Security Parts of the message can be signed or encrypted. All of the security information is encapsulated in the message Security credentials and claims with every message. Wide set of credentials and claims supported WCF requires X509 certificate A B C A B C
13. Authentication Caller identification Windows tokens Certificates User Name Tokens Custom Service identification (to caller) Windows tokens, X.509 certificates
14. AuthenticationWS-Security E S Contract & Policies X509 Certificate Kerberos XrML Custom The service verifies that the user owns/is able to use a key that is never transmitted Private Key X509 SAML
15. Authorization What is caller allowed to do WCF uses callers claims Can have many Windows token, SAML Windows groups, ASP.NET providers, Custom provider No good without authentication
16. Claims Claim is a declaration made by an entity about an entity (for example, a name, identity, group, key, group, or privilege). The entity that makes the claim is referred to as a claim issuer; the entity about which the claim is made is referred to as a claim subject. Defined by a triplet: type, right, resource Claim issuer can vouch for or endorse the claims in a security token by using its key to sign or encrypt the security token. This enables authentication of the claims in the security token.
18. Scenarios Intranet Direct access to service (rare) – single machine Application servers – more common, distributed, maybe port restrictions and firewalls AD, Windows auth Internet Firewalled, DMZed Restricted ports and routes, custom identity store Maybe trusted subsystem down the line with AD/Windows auth Maybe multiple authentication systems involved
19. Scenarios (cont.) B2B Crossing multiple network topologies, firewalls, port restrictions Non Windows security topologies and implementations May require acquiring and using different identities Maybe multiple authentication systems involved Most likely service to service
22. Security Modes None. Turns security off. Not recommended (default for BasicHttpBinding) Transport. Uses transport security for mutual authentication and message protection. Message. Uses message security for mutual authentication and message protection. WCF requires X509 certificate. Both. Allows you to supply settings for transport and message-level security (only MSMQ supports this).
24. Security Modes (cont.) TransportWithMessageCredential. Client credentials are passed with the message. Service authentication, confidentiality, data integrity is provided by the transport layer. TransportCredentialOnly. Client credentials are passed with the transport layer and no message protection is applied.
37. Out of the box bindingsIntranet NetNamedPipeBinding Limited reach – same machine, cross process Fast No SOAP support Defaults: Security Mode: Transport Credentials: Windows Message protection : Encrypt and Sign
38. Out of the box bindings (cont.)Intranet NetTCPBinding WCF-to-WCF scenarios Fast, can add WS* features – performance tradeoff If you used COM+/DCOM use this binding Load balancing – has server affinity, reduce lease timeout Defaults: Security Mode: Transport Credentials: Windows Message protection : Encrypt and Sign
39. Out of the box bindings (cont.) Intranet NetMsmqBinding Queued work / workload leveling / Disconnected scenarios Defaults: Security Mode: Transport Credentials: Windows Message protection: Sign MsmqIntegrationBinding Non WCF clients
40. Out of the box bindings (cont.) Internet BasicHttpBinding Interop for ASMX, support for WS-I Basic Profile 1.1 Does not support WS* stack Works well with existing HTTP load balancing techniques Only binding supported in Silverlight 2.0 Defaults: Security Mode: None Transport: None Credentials: User Name Message protection: None
41. Out of the box bindings (cont.) Internet WsHttpBinding Non Windows/WCF clients Restricted Ports, firewalls Can use HTTP load balancing – Can’t use reliable session, EstablishSecurityContext == off. Defaults: Security Mode: Message Transport: HTTP Credentials: Windows Message protection: Sign and Encrypt
42. Out of the box bindings (cont.) Internet WsFederationHttpBinding share identities across multiple systems Custom tokens Defaults: Security Mode: Message Transport: HTTP Credentials: Windows Message protection: Sign and Encrypt
53. New Services NetMsmqActivator (Net.Msmq Listener Adapter) Receives activation requests over the net.msmq and msmq.formatname protocols and passes them to the Windows Process Activation Service. NetPipeActivator (Net.Pipe Listener Adapter) Receives activation requests over the net.pipe protocol and passes them to the Windows Process Activation Service.
54. New Services NetTcpActivator (Net.Tcp Listener Adapter) Receives activation requests over the net.tcp protocol and passes them to the Windows Process Activation Service. NetTcpPortSharing (Net.Tcp Port Sharing Service) Provides ability to share TCP ports over the net.tcp protocol.
57. Notes In addition to the Walk-in and Title slides, the following slides are required Please add your content and include these in your final presentation NEXT: <next slide title>
58.
59. CodePlex WCF Secruity Guidance - http://www.codeplex.com/WCFSecurity IDesign code library - http://www.idesign.net/ MSDN WCF demos and examples - http://wcf.netfx3.com/ (WCF), (WF) and Windows CardSpace Samples - MSDN http://tinyurl.com/4zvppt Track Resources Bloggers: Ron Jacobs, Vittorio Bertocci, Michelle Bustamante, Aaron Skonnard, etc.
63. Idenity Types DNS - Use this element with X.509 certificates or Windows accounts. Certificate - This element specifies a Base64-encoded X.509 certificate value to compare with the client. Also use this element when using a CardSpace as a credential to authenticate the service.