The document discusses conducting a PHP code audit. It outlines steps like interviewing developers, performing black box testing, and conducting an open code audit. When auditing code, the speaker searches for injections like SQL, PHP, and HTML injections. Variables used in includes are reviewed, as are comments, variables, functions, and conditions. Register_globals is identified as a risk that can be emulated. The report would provide an executive summary, problems summary, and details on vulnerabilities found. Community involvement and continuous auditing are recommended for security.
A way to identify trusted developer strings (aka "literals", which have been defined within the PHP script) which need to be used for HTML templates, SQL strings, CLI strings; and keep those completely separate from user controlled (attacker tainted) strings.
A way to identify trusted developer strings (aka "literals", which have been defined within the PHP script) which need to be used for HTML templates, SQL strings, CLI strings; and keep those completely separate from user controlled (attacker tainted) strings.
Replacing dependents with doubles is a central part of testing that every developer has to master. This talk goes over the different types of doubles and explains their place in testing, how to implement them in a mainstream mocking framework, and which strategies or doubles to use in different message exchange scenarios between objects. After this talk you will have moved a step forward in your understanding of testing in the context of object oriented programming.
Moving a high traffic ZF1 Enterprise Application to SF2 - Lessons learnedBaldur Rensch
Hautelook is a large ecommerce application that is currently running a Zend Framework 1 backend. The next iteration of its API (used by desktop, mobile, as well as iPhone and Android native applications) is done with Symfony 2. This API is following the principles for hypermedia APIs. To that end, Hal+Json is the media-type we chose, and we implemented most of it using the FSC HateoasBundle. Another critical piece of Hal+Json APIs is documentation. To this end we have used NelmioApiDocBundle to automatically generate documentation for the API endpoints. The other critical piece of any application is performance for which we use XHProf with XHGui. In my talk I want to touch on all those aspects, show some of the lessons learned, how we solved some of the problems, and what is still unsolved.
Talk was given at WebConf Riga 2012. There was some trolling about Symfony 2 and ZF2 just for fun. I actually think these are great projects so sorry if it hury your feelings.
Models and Service Layers, Hemoglobin and HobgoblinsRoss Tuck
As presented at ZendCon 2014, AmsterdamPHP, PHPBenelux 2014, Sweetlake PHP and PHP Northwest 2013, an overview of some different patterns for integrating and managing logic throughout your application.
PHP and MySQL Tips and tricks, DC 2007Damien Seguy
Like opening a long hidden treasure chest, this session will bring many jewels back to the programming light. We'll cover a number of lesser known PHP function and MySQL functionalities, that will help at daily tasks. They will be applied in various fields, including security, performances, standard compliance and simply fun to program.
Reviews the basis of using JavaScript within WordPress. How to load in scripts correctly and move PHP data into JavaScripts for later use. Presented at WordCamp Las Vegas 2013
Replacing dependents with doubles is a central part of testing that every developer has to master. This talk goes over the different types of doubles and explains their place in testing, how to implement them in a mainstream mocking framework, and which strategies or doubles to use in different message exchange scenarios between objects. After this talk you will have moved a step forward in your understanding of testing in the context of object oriented programming.
Moving a high traffic ZF1 Enterprise Application to SF2 - Lessons learnedBaldur Rensch
Hautelook is a large ecommerce application that is currently running a Zend Framework 1 backend. The next iteration of its API (used by desktop, mobile, as well as iPhone and Android native applications) is done with Symfony 2. This API is following the principles for hypermedia APIs. To that end, Hal+Json is the media-type we chose, and we implemented most of it using the FSC HateoasBundle. Another critical piece of Hal+Json APIs is documentation. To this end we have used NelmioApiDocBundle to automatically generate documentation for the API endpoints. The other critical piece of any application is performance for which we use XHProf with XHGui. In my talk I want to touch on all those aspects, show some of the lessons learned, how we solved some of the problems, and what is still unsolved.
Talk was given at WebConf Riga 2012. There was some trolling about Symfony 2 and ZF2 just for fun. I actually think these are great projects so sorry if it hury your feelings.
Models and Service Layers, Hemoglobin and HobgoblinsRoss Tuck
As presented at ZendCon 2014, AmsterdamPHP, PHPBenelux 2014, Sweetlake PHP and PHP Northwest 2013, an overview of some different patterns for integrating and managing logic throughout your application.
PHP and MySQL Tips and tricks, DC 2007Damien Seguy
Like opening a long hidden treasure chest, this session will bring many jewels back to the programming light. We'll cover a number of lesser known PHP function and MySQL functionalities, that will help at daily tasks. They will be applied in various fields, including security, performances, standard compliance and simply fun to program.
Reviews the basis of using JavaScript within WordPress. How to load in scripts correctly and move PHP data into JavaScripts for later use. Presented at WordCamp Las Vegas 2013
Even nowadays, PHP code is mostly manually audited. Expert pore over actual code, in search for bugs or code smells. Actually, it is possible to have PHP do this work itself ! Strengthened with the internal Tokenizer, bolstered by the manual, it is able to scan thousands of lines of code, without getting bored, and bringing pragmatic pieces of wisdom: official manual recommendations, version migration, code pruning and security. In the end, it deliver a global overview of the code, without reading it.
We've all been faced with legacy code and often decided to rewrite, feeling it will be easier. There are many reasons this can be wrong. Adam Culp will talks about the entire journey of refactoring a legacy code base. He will begin with assessment and why, move on to planning how and when, cover execution and testing, give step-by-step examples, and even show how to manage the process effectively. Attendees will gain insight and tips on how to handle their own pile of code and refactor happy.
Component Based UI Architecture - Alex MoldovanITCamp
My talk will be mostly oriented towards the JavaScript ecosystem and the modern frameworks that enforce a component based approach towards building your UI. I will try to speak a lot from my recent experience with React.js and if time permits, I will demo some smaller apps just to show everyone how easy it is to play with React.
We all know that web performance optimization is becoming critical to the success of web sites and applications. The problem is, we often don’t have the control over the UI Architecture (“middle-end”) that we need to really make things better.
We’ll talk about how to use JavaScript (client- and server-side) to revamp the middle-end so we can throttle web performance (and code maintainability) to the next level.
Content Design, UI Architecture and Content-UI-MappingWolfram Nagel
When you want to gather, manage and publish content and display it independently on any user interface and/or target channel you need a system that supports “Content Design and Content UI Mapping”. Content and user interfaces can be planned and assembled modularly and structured in a similar manner — comparable to bricks in a building block system. Content basically runs through three steps until it reaches its recipient: Gathering, management and output. A mapping has to occure at the intersections of these three steps.
This is the extended slides version on the topic.
There's also an article on the topic: https://medium.com/@wolframnagel/content-design-and-ui-mapping-a35af8cac3f6#.3ylkxrakf
Internationalizing CakePHP ApplicationsPierre MARTIN
Slides from the talk given by Mariano Iglesias during the CakeFest #3 - July 2009
Note: the original pdf and the code related to this talk can be found on cakephp.org (http://cakephp.org/downloads/CakeFest/CakeFest%203%20-%20Berlin%202009/Mariano%20Iglesias%20-%20Internationalizing%20CakePHP%20Applications)
Review unknown code with static analysis Zend con 2017Damien Seguy
Code quality is not just for Christmas, it is a daily part of the job. So, what do you do when you're handed with a five feet long pole a million lines of code that must be vetted? You call static analysis to the rescue. During one hour, we'll be reviewing totally unknown code: no name, no usage, not a clue. We'll apply a wide range of tools, reaching for anything that helps us understand the code and form an opinion on it. Can we break this mystery and learn how everyone else is looking at our code?
This workshop is a hands-on training where a real Zend Framework application is used as an example to start improving QA using tools to test, document and perform software metric calculations to indicate where the software can be improved. I also explain the reports produced by a CI system.
Substitution of single letters separately—simple substitution—can be demonstrated by writing out the alphabet in some order to represent the substitution. This is termed a substitution alphabet. The cipher alphabet may be shifted or reversed (creating the Caesar and Atbash ciphers, respectively)
With a very low barrier to entry, developing with WordPress has become particularly popular in the past few years. However, this sometimes means that standards and best practices aren’t well respected.
This talk will cover WordPress coding standards, best practices, and technical tools to become a better developer. This will be a resourceful presentation for anyone beginning, interested in, and those who have been developing with WordPress for a long time. Some of the topics covered will be proper usage of hooks and filters, creating your own plugins (instead of always using that functions.php), making use of the mu-plugins folder, how to properly escape and sanitize user-generated content, security gotchas and more.
The talk is geared at beginning developers as much as it is for advanced developers. Basic php knowledge is strongly recommended, though not required.
Everyone talks about raising the bar on quality of code, but it's always hard to start implementing it when you have no clue where to start. With this talk I'm shooing that there are many levels developers can improve themselves by using the right tools. In this talk I'll go over each tool with examples how to use them against your codebase. A must attend talk for every developer that wants to scale up their quality. Most PHP developers deploy code that does what the customer requested but they don't have a clue about the quality of the product they deliver. Without this knowledge, maintenance can be a hell and very expensive. In this workshop I cover unit testing, code measuring, performance testing, debugging and profiling and give tips and tricks how to continue after this workshop.
Even nowadays, PHP code is mostly manually audited. Expert pore over actual code, in search for bugs or code smells. Actually, it is possible to have PHP do this work itself ! Strengthened with the internal Tokenizer, bolstered by the manual, it is able to scan thousands of lines of code, without getting bored, and bringing pragmatic pieces of wisdom: official manual recommendations, version migration, code pruning and security. In the end, it deliver a global overview of the code, without reading it.
Refactoring @ Mindvalley: Smells, Techniques and PatternsTristan Gomez
Every week my team commits really good, clean code. I decided to get the best of the commits and showcase what makes them good, what smells they address, and what techniques they used.
Version 5.0 will include version 2.0 of the Zend Engine
New object model is more powerful and intuitive
Objects will no longer be passed by value; they now will be passed by reference
Increases performance and makes OOP more attractive
Everyone talks about raising the bar on quality of code, but it's always hard to start implementing it when you have no clue where to start. With this talk I'm shooing that there are many levels developers can improve themselves by using the right tools. In this talk I'll go over each tool with examples how to use them against your codebase. A must attend talk for every developer that wants to scale up their quality. Most PHP developers deploy code that does what the customer requested but they don't have a clue about the quality of the product they deliver. Without this knowledge, maintenance can be a hell and very expensive. In this workshop I cover unit testing, code measuring, performance testing, debugging and profiling and give tips and tricks how to continue after this workshop.
There are tactical reasons to adopt strong typehint: easy validation, less code, fashionable. Besides, the first typehints blend in effortlessly with the current application: it is as if typehint was already there. Later, it appears that scalar types paved the way to more substantial code refactoring. Classes emerge from the initial scalar types, code congregate around important values, types gets more complex. Finally, systemic typehint arrives. Type hints become systemic when they help tame the class dependency hell, and help us plan for the new code. During the session, we'll cover the various stages of using typehints, with their advantages, and when not to overuse them.
Strong typing : adoption, adaptation and organisationDamien Seguy
There are tactical reasons to adopt strong typehint: easy validation, less code, fashionable. Besides, the first typehints blend in effortlessly with the current application: it is as if typehint was already there. Later, it appears that scalar types paved the way to more substantial code refactoring. Classes emerge from the initial scalar types, code congregate around important values, types gets more complex. Finally, systemic typehint arrives. Type hints become systemic when they help tame the class dependency hell, and help us plan for the new code. During the session, we’ll cover the various stages of using typehints, with their advantages, and when not to overuse them.
Qui a laissé son mot de passe dans le codeDamien Seguy
Qui, de nos jours, laisse encore son mot de passe dans le code? Pour quelles raisons? Et comment éviter de voir ses secrets atterrir en production, ou dans un dépot public? en utilisant Exakat et git-secrets.
Présentation en détail de l'analyse statique : ses fondements en PHP, ses mécanismes internes, les processus d'augmentation des connaissances et de personnalisation des analyses, ainsi que les résultats d'audits.
Revue de parcours des pièges les plus classiques en PHP, entre les références qui pendouillent, les opérateurs et leur précédence, array_merge() en boucle, ou encore les fonctionnalités natives oubliées et les améliorations de PHP 8.0.
PHP has its own treasure chest of classic mistakes that surprises even the most seasoned expert : code that dies just by changing its namespace, strpos() that fails to find strings or arrays that changes without touching them.
Do that get on your nerves too ? Let’s make a list of them, so we can always teach them to the new guys, spot them during code reviews and kick them out of our code once and for all. Come on, you’re not frightening us !
Meilleur du typage fort (AFUP Day, 2020)Damien Seguy
Le typage se propage à tout PHP : la 7.4 l’ajoute aux propriétés, après les arguments et les valeurs de retours. Bien qu’opposé aux choix initiaux de typage faible de PHP, le typage augmente significativement la cohérence du code, son niveau d’auto-validation et les possibilités de dépendances inextricables. Le typage contribue à aider les outils d’introspection, à débuguer le code au plus tôt, et à adopter des techniques de développement comme le motif de l’objet null. C’est un outil supplémentaire, pratique pour les grands projets, et facilement déployé.
https://event.afup.org/afup-day-2020/afup-day-2020-tours/programme/#3246
PHP has its own treasure chest of classic mistakes that surprises even the most seasoned expert : code that dies just by changing its namespace, strpos() that fails to find strings or arrays that changes without touching them. Do that get on your nerves too ? Let’s make a list of them, so we can always teach them to the new guys, spot them during code reviews and kick them out of our code once and for all. Come on, you’re not frightening us !
Déjà, PHP 7.4 toque à la porte, et il arrive les bras chargés de fonctionnalités et de modernisations. Que ce soit les FFI, le support du typage pour les propriétés, l’abandon des nombres real, la covariance, et même la modernisation de strip_tags, array_merge sans argument, et l’imbrication d’opérateurs ternaires : ouf, il va falloir se retrousser les manches. Durant la session, nous passerons en revue les nouvelles fonctionnalités, les incompatibilités, et nous verrons comment préparer son code dès maintenant.
PHP has its own treasure chest of classic mistakes that surprises even the most seasoned expert: code that dies just by changing its namespace, strpos() that fails to find strings or arrays that changes without touching them. Do that get on your nerves too? Let's make a list of them, so we can always teach them to the new guys, spot them during code reviews and kick them out of our code once and for all. Come on, you're not frightening us!
PHP has its own treasure chest of classic mistakes that surprises even the most seasoned expert : code that dies just by changing its namespace, strpos() that fails to find strings or arrays that changes without touching them. Do that get on your nerves too? Let’s make a list of them, so we can always teach them to the new guys, spot them during code reviews and kick them out of our code once and for all. Come on, you’re not frightening us?
PHP a son lot de surprises qui pimente notre vie de développeur : le code qui meurt d’un coup de namespace, strpos qui ne trouve pas sa chaîne et les tableaux qui se modifient sans qu’on y touche. Ca vous énerve vous aussi ? Alors, en 20 minutes, on va dresser un florilège des erreurs les plus vicieuses, comment les corriger et comment les garder loin de votre code. Attachez vos ceintures !
Static analysis is an emerging field, in particular in the PHP world. Reviewing source code at the speed of a computer requires powerful theoretical tools: control flow diagram, abstract syntactic trees, acyclic dependency graph.
If all this seems far and remote from PHP, come and learn how they apply to your favorite language! They are all useful when it comes to detecting early those errors that end up in production, and sometimes, even before the code may compile. We’ll see how to combine all those aspects to build a useful auditing engine.
Static analysis for PHP Static analysis is an emerging field, in particular in the PHP world. Reviewing source code at the speed of a computer requires powerful theoretical tools: control flow diagram, abstract syntactic trees, acyclic dependency graph. If all this seems far and remote from PHP, come and learn how they apply to your favorite language! We'll see how to combine all those aspects to build a useful auditing engine.
Review unknown code with static analysis php ce 2018Damien Seguy
Code quality is not just for christmas, it is a daily part of the job. So, what do you do when you're handed with a five feet long pole a million lines of code that must be vetted ? You call static analysis to the rescue. During one hour, we'll be reviewing totally unknown code code : no name, no usage, not a clue. We'll apply a wide range of tools, reaching for anything that helps us understand the code and form an opinion on it. Can we break this mystery and learn how everyone else is looking at our code ?
PHP 7.3 is already bet3 and we will get the final version shortly after Sinterklaas.
A wide range of new features are already available for testing, including the relaxed syntax for Heredocs, the final comma in function calls, and a crowd of smaller increments.
We’ll review those evolutions, check the incompatibilities, and try to find the in PHP code.
Finally, we’ll present the RFC process that leads to new features : we can start to discover PHP 7.4 together!
PHP 7.3 sera en beta à la fin de l'été, et cible une sortie avant Noel. De nombreuses nouveautés sont prévues de longue date, comme l'évolution de la syntaxe heredoc, ou les , finales pour les appels de fonctions, tandis qu'une rafale de nouveautés se bousculent au portillon, et ont même généré une alpha 4. Nous passerons en revue toutes ces évolutions, ainsi que les incompatibilités, comment les trouver dans du code, et comment fonctionnent les RFC de PHP.
PHP 7.3 sera en beta à la fin de l'été, et cible une sortie avant Noel. De nombreuses nouveautés sont prévues de longue date, comme l'évolution de la syntaxe heredoc, ou les , finales pour les appels de fonctions, tandis qu'une rafale de nouveautés se bousculent au portillon, et ont même
généré une alpha 4. Nous passerons en revue toutes ces évolutions, ainsi que les incompatibilités, comment les trouver dans du code, et comment fonctionnent les RFC de PHP.
Review unknown code with static analysis php ipc 2018Damien Seguy
Code quality is not just for christmas, it is a daily part of the job. So, what do you do when you’re handed with a five feet long pole a million lines of code that must be vetted ? You call static analysis to the rescue. During one hour, we’ll be reviewing totally unknown code code : no name, no usage, not a clue. We’ll apply a wide range of tools, reaching for anything that helps us understand the code and form an opinion on it. Can we break this mystery and learn how everyone else is looking at our code ?
Everyone fear the review of his own code. And to start with, there is no time. Because, what will happen once we have found something to detail ? In fact, a good code review means being ready to discuss a mere few lines, assess the context and evaluate an alternative, or not. It also means that when the code has become a dense jungle, there may hide monsters worse than a few errors. Using automated tools that are not scared by volume, we’ll keep everything under control, without anyone else knowing about it.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
8. Review the application
Best : have a non-programmer explain the application
Then have the programmer explain again
The differences are interesting
9. Killer questions
What is the most important asset to secure on the site?
«everything» is not an answer
data destruction
data exportation
client separation
company image
10. How was the app secured?
Where are the security functions/classes/layers/thingy?
How are they applied?
How do you check how they are applied ?
11. I like to hear...
Out of web folder
Automated deployment
Automated tests AND manuals tests
Security as a layer (functions and application)
12. Black Box testing
Test from the outside
Search the engines
Session usurpation
Disclosed files
Displayed errors
Tools : Rats, nikto, Wapiti
13. Open Code audits
What to search for?
What are the entry points?
How can they be exploited
Or protected ?
19. Evals
◦ eval('$retour=$GLOBALS["'.$matches[1].'"];')
◦ Variable variables.
◦ eval($contenu_thjipk);
◦ eval($contents_essai);
◦ Content is read into variable, then executed : an include?
◦ eval('$hexdtime = "'.$hexdtime.'";')
◦ Long way to cast a string into a string
◦ eval('$retour2.= '.var_dump($recept->erreur).';')
◦ This doesn’t even make sense...
20. Evals
◦ eval('$retour=$GLOBALS["'.$matches[1].'"];')
◦ Variable variables.
◦ eval($contenu_thjipk);
◦ eval($contents_essai);
◦ Content is read into variable, then executed : an include?
◦ eval('$hexdtime = "'.$hexdtime.'";')
◦ Long way to cast a string into a string
◦ eval('$retour2.= '.var_dump($recept->erreur).';')
◦ This doesn’t even make sense...
21. Evals
◦ eval('$retour=$GLOBALS["'.$matches[1].'"];')
◦ Variable variables.
◦ eval($contenu_thjipk);
◦ eval($contents_essai);
◦ Content is read into variable, then executed : an include?
◦ eval('$hexdtime = "'.$hexdtime.'";')
◦ Long way to cast a string into a string
◦ eval('$retour2.= '.var_dump($recept->erreur).';')
◦ This doesn’t even make sense...
22. Evals
◦ eval('$retour=$GLOBALS["'.$matches[1].'"];')
◦ Variable variables.
◦ eval($contenu_thjipk);
◦ eval($contents_essai);
◦ Content is read into variable, then executed : an include?
◦ eval('$hexdtime = "'.$hexdtime.'";')
◦ Long way to cast a string into a string
◦ eval('$retour2.= '.var_dump($recept->erreur).';')
◦ This doesn’t even make sense...
23. Evals
◦ eval('$retour=$GLOBALS["'.$matches[1].'"];')
◦ Variable variables.
◦ eval($contenu_thjipk);
◦ eval($contents_essai);
◦ Content is read into variable, then executed : an include?
◦ eval('$hexdtime = "'.$hexdtime.'";')
◦ Long way to cast a string into a string
◦ eval('$retour2.= '.var_dump($recept->erreur).';')
◦ This doesn’t even make sense...
24. Assessing the code
One liners
One line of code is sufficiently to be bad
Even though
you must follow the code
In reverse
25. Inclusion
◦ require("../params_frm.php")
◦ require(fct_lien_page_custom(TYPE_DOMAINE."/".TYPE_DOC.
"_custom.php","abs"))
◦ require(fct_lien_page_custom("params_footer.php","abs"))
◦ Pretty secure inclusions
◦ But 96 variables used in includes
◦ include(fct_lien_page_custom("action/facture_".
$format.".php","abs"))
◦ $format, anyone?
◦ require_once("etat_simple_".$choix_page."_trt.php")
◦ $choix_page, anyone ?
27. $choix_format ?
switch($choix) {
case 0 : $choix_page="tabl";
break;
case 1 : $choix_page="histo1";
if ($gfx_sens_graph=="1") $gfx_margegauche_dft="90";
break;
case 2 : $choix_page="histo2";
if ($gfx_sens_graph=="1") $gfx_margegauche_dft="90";
break;
case 3 : $choix_page="histo3";
if ($gfx_sens_graph=="1") $gfx_margegauche_dft="90";
break;
case 4 : $choix_page="histo4";
if ($gfx_sens_graph=="1") $gfx_margegauche_dft="90";
break;
} ###...Way below
require_once("etat_simple_".$choix_page."_trt.php");
28. Statistical audit
Extract one type of information
Review it out of context
Use this as a starting point for more questions
29. Comments
//echo "<div><a class="texte1" style=...
#echo "<pre>";
Left overs : what were they for?
#print_r($_REQUEST);
No organization for bugs?
// hack for mozilla sunbird's extra = signs
Look for swearing, TODO, hack
30. Variables
6883 different variables names
All one possible one letter variable
32 chars : $cache_maxsize_UTF8StringToArray
Most used : $i (2586 times)
$_1904, $samedi, $dummy, $sss, 19 $unknowns
711 variables used only once in the code
31. Other interesting ideas
name of functions
name of classes
name of constants
literal
strings, numbers
Condition (if, while)
35. register_globals strikes back
Don’t use register globals!!
How can you emulate this behavior?
There are no less than
36. register_globals strikes back
Don’t use register globals!!
How can you emulate this behavior?
There are no less than
37. register_globals strikes back
Don’t use register globals!!
How can you emulate this behavior?
There are no less than
38. register_globals strikes back
Don’t use register globals!!
How can you emulate this behavior?
There are no less than
ways to emulate register_globals...
39. register_globals strikes back
Don’t use register globals!!
5
How can you emulate this behavior?
There are no less than
ways to emulate register_globals...
40. register_globals strikesr back
e
t !
is n
g o
re ti
Don’t use register globals!!
e ula
5
s
How can you emulate this behavior?
u m
t e
There are no less than
’ l
n a
o b
D lo
g
ways to emulate register_globals...
47. Found!
◦ ./install/identification.php
◦ extract($_POST) : 1
◦ Injection by $_POST
◦ ./fonctions/fonctions_gen.php
◦ $GLOBALS[$k] = $chaine[$k]
◦ $GLOBALS[$this->mode] [$k] = $chaine[$k]
◦ In the fct_urldecode, the values are stripslashed, and
then injected in the $GLOBALS, resulting in variable creation
48. SQL injections
Point of entry
mysql_query
mysqli_real_escape_string
SQL query :
string with SELECT, UPDATE, ...
49. Found!
◦ 'UPDATE param_suivi SET param_suivi_nom="'.str_replace($tr
ansf_sp,$transf_fr,$_POST["suivi_nom"]) : 1
◦ Direct injection via POST
◦ WHERE campagne_nom LIKE '%".addslashes($_REQUEST['rech_nom'])
◦ Injection from $_REQUEST
◦ "UPDATE even_spl SET even_spl_fait='".
$even_fait."',even_spl_modification='".$date_du_jour."'
WHERE even_spl_id='".$even_id."' AND even_spl_affaire_id='".
$even_aff_id."'"; : 1
◦ "INSERT INTO ".$type_doc."_suivi (".
$type_doc."_suivi_param_suivi_id, ".$type_doc."_suivi_".
$type_doc."_id, ".$type_doc."_suivi_canal_id, ".
$type_doc."_suivi_action, ".$type_doc."_suivi_commentaire, ".
$type_doc."_suivi_creation) VALUES ('".$id_suivi."', '".
$id_doc."', '".$id_canal."', '".
$suivi_date."', '".addslashes($suivi_commentaire)
50. And also
Header injection
Look for header()
XSS
look for echo, print
look for strings with tags
Etc...
51. Report
Executive summary
3 paragraphs, simple to read
Problems summary
Table, with problems, criticality and load
Details
Extras
52. Report
Vulnerability Critical Load
register_globals High High
Injections High Medium
SQL injection Medium High
headers Low Low
53. Details
Title
In code example and explanation
Protection suggestions
Limitations
List of all occurrences
Or way to find them
54. Team Work
Security is recommanded at conception time
Audit is an after-thought tool
Once
When necessary
Regularly
Continuously
55. PHP Mantra
List your mantra
The five most important rules you agree upon
Have them printed and visible to everyone
56. Cross audit
Group developers by two
Have each one review the code of the other
Based on the mantra
Light weight process
Doesn’t have to be in the same project