Slides from Apache Shiro User Group presentation by Les Hazlewood on API design and RESTful API security using Shiro. Demonstrates design and security principles using Stormpath API.
Drupal core is a secure product, but how secure are contrib modules? And custom ones?
This session is about proper use of the drupal api's and some best practices for secure drupal development.
Apache Shiro, a simple easy-to-use framework to enforce user security by Shiro PMC Chair and Stormpath CTO, Les Hazlewood.
http://shiro.apache.org
http://stormpath.com
Super simple application security with Apache ShiroMarakana Inc.
Les Hazlewood, founder of the Apache Shiro project, covers the benefits of using Shiro as an application security framework.
Check out the video for this presentation, as well as more training resources for Java here: http://marakana.com/forums/java/general/183.html
Slides from Apache Shiro User Group presentation by Les Hazlewood on API design and RESTful API security using Shiro. Demonstrates design and security principles using Stormpath API.
Drupal core is a secure product, but how secure are contrib modules? And custom ones?
This session is about proper use of the drupal api's and some best practices for secure drupal development.
Apache Shiro, a simple easy-to-use framework to enforce user security by Shiro PMC Chair and Stormpath CTO, Les Hazlewood.
http://shiro.apache.org
http://stormpath.com
Super simple application security with Apache ShiroMarakana Inc.
Les Hazlewood, founder of the Apache Shiro project, covers the benefits of using Shiro as an application security framework.
Check out the video for this presentation, as well as more training resources for Java here: http://marakana.com/forums/java/general/183.html
Security breaches are becoming more common in today’s world, from large vulnerable corporations being attacked to cyber attacks causing physical damage. With Drupal becoming increasingly more popular, it has become a perfect target for these automated attacks. Last year's SA-CORE-2014-005 vulnerability has demonstrated that hackers have learned how to take advantage of Drupal’s functionality to infect a site and remain unnoticed.
Site builders and maintainers have a large role to play in preventing these kinds of disasters. With a solid knowledge base of the most common security threats, developers can quickly identify those security issues and learn how to address them. In this webinar, learn about how to protect your Drupal site against security threats, with topics including:
- How Drupal can protect against DDoS attacks
- Configuration mistakes that make you vulnerable, and how to avoid them
- Fast updates: the single most important security element
Security improvements in Drupal 8
- Modules to enhance security and evaluating contributed module quality
Injection is the number 1 attack category in the OWASP Top 10 and for good reason: injection flaws are extremely damaging because they allow an attacker to execute arbitrary commands, either on on the host running the application or on the database server. This Application Security Lesson will teach you what is Injection, types of Injection, explain how to find it, how to exploit it and how to prevent it.
The Drupal project’s responses to the web’s most common software vulnerabilities.
For more Four Kitchens presentations, please visit http://fourkitchens.com/presentations
As a part of the software industry, it is a basic necessity to create a secure application/product. Security testing is not only about hacking, and can be approached in a structured manner. This presentation will help you understand how to incorporate security in different phases and aspects of software development.
Alfresco DevCon 2018: Role Based Access Control with Apache ShiroErmanno Russo
https://www.youtube.com/watch?v=1gTRqFAZt4M
Discontinued Alfresco Workdesk offers granular Role Based Access Control to define which functionalities users can access based on their role. While working to implement a replacement solution, I had to find a way to replicate this feature, and I found it in Apache Shiro. Using a fairly simple mechanism, I was able to map granular permissions (one for each method exposed by our custom REST API) to Alfresco groups, which act as roles. Moreover, combining this with Spring HATEOAS, it was possible to include in each JSON response only the links to the functionalities the user can actually access, so that our front-end client was able to determine accordingly what page components to display.
Conduct a few internal pen tests and you’re bound to come across Jenkins, the world’s most popular build automation server. When you encounter it, what do you do? Go beyond a 5-minute Google search and checking for open script consoles. This talk dives into various ways to exploit Jenkins and how to move laterally into sensitive systems.
Introduction To Ruby Watir (Web Application Testing In Ruby)Mindfire Solutions
This involves the presentation of fundamentals/basics of Ruby-WATIR (Web Application Testing In Ruby) for the tester to automate there testing methods and steps.
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle Mark Hamstra
Introducing MODX Revolution and the concept of Creative Freedom at the first PHP Zwolle Meetup on August 27th.
Relevant links:
MODX.com => official website
rtfm.modx.com => official documentation
github.com/modxcms/revolution => source code
MODX.today => daily links/articles about MODX
modmore.com => premium extras for MODX
https://joind.in/talk/view/15031 => for feedback on the talk
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
OWASP Top 10 vs Drupal
Abstract: Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.
Security breaches are becoming more common in today’s world, from large vulnerable corporations being attacked to cyber attacks causing physical damage. With Drupal becoming increasingly more popular, it has become a perfect target for these automated attacks. Last year's SA-CORE-2014-005 vulnerability has demonstrated that hackers have learned how to take advantage of Drupal’s functionality to infect a site and remain unnoticed.
Site builders and maintainers have a large role to play in preventing these kinds of disasters. With a solid knowledge base of the most common security threats, developers can quickly identify those security issues and learn how to address them. In this webinar, learn about how to protect your Drupal site against security threats, with topics including:
- How Drupal can protect against DDoS attacks
- Configuration mistakes that make you vulnerable, and how to avoid them
- Fast updates: the single most important security element
Security improvements in Drupal 8
- Modules to enhance security and evaluating contributed module quality
Injection is the number 1 attack category in the OWASP Top 10 and for good reason: injection flaws are extremely damaging because they allow an attacker to execute arbitrary commands, either on on the host running the application or on the database server. This Application Security Lesson will teach you what is Injection, types of Injection, explain how to find it, how to exploit it and how to prevent it.
The Drupal project’s responses to the web’s most common software vulnerabilities.
For more Four Kitchens presentations, please visit http://fourkitchens.com/presentations
As a part of the software industry, it is a basic necessity to create a secure application/product. Security testing is not only about hacking, and can be approached in a structured manner. This presentation will help you understand how to incorporate security in different phases and aspects of software development.
Alfresco DevCon 2018: Role Based Access Control with Apache ShiroErmanno Russo
https://www.youtube.com/watch?v=1gTRqFAZt4M
Discontinued Alfresco Workdesk offers granular Role Based Access Control to define which functionalities users can access based on their role. While working to implement a replacement solution, I had to find a way to replicate this feature, and I found it in Apache Shiro. Using a fairly simple mechanism, I was able to map granular permissions (one for each method exposed by our custom REST API) to Alfresco groups, which act as roles. Moreover, combining this with Spring HATEOAS, it was possible to include in each JSON response only the links to the functionalities the user can actually access, so that our front-end client was able to determine accordingly what page components to display.
Conduct a few internal pen tests and you’re bound to come across Jenkins, the world’s most popular build automation server. When you encounter it, what do you do? Go beyond a 5-minute Google search and checking for open script consoles. This talk dives into various ways to exploit Jenkins and how to move laterally into sensitive systems.
Introduction To Ruby Watir (Web Application Testing In Ruby)Mindfire Solutions
This involves the presentation of fundamentals/basics of Ruby-WATIR (Web Application Testing In Ruby) for the tester to automate there testing methods and steps.
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle Mark Hamstra
Introducing MODX Revolution and the concept of Creative Freedom at the first PHP Zwolle Meetup on August 27th.
Relevant links:
MODX.com => official website
rtfm.modx.com => official documentation
github.com/modxcms/revolution => source code
MODX.today => daily links/articles about MODX
modmore.com => premium extras for MODX
https://joind.in/talk/view/15031 => for feedback on the talk
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
OWASP Top 10 vs Drupal
Abstract: Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.
This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
Devbeat Conference - Developer First SecurityMichael Coates
Topics include:
- Sample and Demo of Top Application Risks — Cross Site Scripting, SQL Injection, Access Control
- Who’s Monitoring Your Traffic? — Encrypting in Transit
Secure Data Storage & Protection — Correct Password
-Storage & Data Protection
-Growing Threats Plaguing Applications
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Epistemic Interaction - tuning interfaces to provide information for AI support
null Bangalore meet - Php Security
1. Secure Web App Programming
Akash Mahajan
Talk at NULL Bangalore Meeting
8th August 2009
2. Cross Site Scripting - XSS
• Injecting HTML/JS into the site.
– Non-persistent/Reflected/First Order
• Script is taken from the request and displayed in the browser
directly
• example.com/search?q=<script>alert(‘hi’);</script>
• Example.com/index.php?lang=path to php shell
– Persistent/Stored/Second Order
• First name of a registration form is vuln and the value is
stored in the database
• Hello <iframe src=http://f1y.in/0.js></iframe>
– DOM Based
• No example, mentioned by Amit Klien in his paper XSS of the
Third Kind
3. XSS mitigation in PHP
• Sanitize all globals ($_GET, $_POST, $_COOKIE)
– Use strip_tags()
– Use inpekt library code.google.com/p/inspekt
• Escape everything before displaying
– htmlentities(), htmlspeciachars()
• Client headers like user agent can be malicious as well.
• Thumb rule, if its not your data consider it bad. If you
can verify it, consider it trusted good data.
• White listing helps in verifying good data more than
black listing.
• See examples at xssed.com
4. SQL Injection
• Allowing SQL to be injected in the database
query.
• Most common attack point is the search of any
dynamic website and registration forms. These
two will be definitely talking to the database.
• $sql = "SELECT * FROM table WHERE id = '" .
$_REQUEST['id'] . "'";
• id = ‘ OR 1 UNION ALL SELECT * FROM table;
• Excellent examples
http://google.com/search?q=site:slideshare.net
sql injection
5. SQL Injection - Mitigation
• mysql_real_escape_string()
– $dbquery = sprintf(“SELECT name FROM user WHERE
id=‘%s’”, mysql_real_escape_string(‘id’));
• Parameterized queries
– $res = $query(“SELECT name FROM user WHERE id=?”,
$id);
– Standard mysql module in PHP doesn’t allow for
parameterized queries. You need mysqli
• Stored Procedures
– See a kickass example of stored proc used to hack more
than hundred thousand websites
• http://www.breach.com/resources/breach-security-
labs/alerts/mass-sql-injection-attack-evolutio
6. File Uploads
• Web apps add a directory in document root
for storing file uploads and give write access.
• They don’t randomize filenames. So a specially
crafted image file which has PHP code written
in it gets saved there.
• The malicious user is now free to call it using a
GET request and it gets executed.
• http://www.scanit.be/uploads/php-file-
upload.pdf
7. File Uploads - Mitigation
• The usual use case is uploading of image files.
• Use getimageinfo() to get the correct mime
type of the file from the file header.
• Generate a random file name
– $rand = time() . substr(md5(microtime()), 0,
rand(5, 12));
– Return $rand and append file extension
• Ideally noexec permission should be set on
the directory where files are copied to.
8. Endgame
• At this point you have reasonable ensured that
your PHP web application is not compromised.
• But the user connecting to your website are
vulnerable to session hijacking, CSRF from your
site etc.
• There are work around to the standard PHP
functions like this one for
mysql_real_escape_strings()
– http://shiflett.org/blog/2006/jan/addslashes-versus-
mysql-real-escape-string