This document discusses breaking and penetration testing Ruby on Rails applications. It covers fingerprinting the Rails framework, testing the attack surface through routes, session security issues, authentication vulnerabilities, authorization testing, CSRF protection bypass, model attribute assignment and SQL injection issues, view rendering exploits, and insecure defaults. Recommended tools for analysis include Brakeman, grep searches, and the Ruby Mechanize and Nokogiri libraries. The document provides references for further Rails security best practices.
Log4j? Log4Shell? I feel like I’ve heard those terms before… Perhaps you were so bogged down with remediation and incident response that you didn’t get the necessary time to research and understand the full scope of what happened.
In this hands-on talk, we’ll walk through how the vulnerability is exploited and what part it plays in the attack chain. You’ll have an opportunity to emulate the attack or follow along as I demonstrate the attack and various open-source detection methods.
This talk takes a purple team approach by discussing the defender’s and attacker’s infrastructure, attack execution, and how to analyze the traffic for identification and detection.
We’ll finish up by discussing the aftermath of attacks seen in the wild, current APT approaches to this vulnerability, and address any security concerns that remain.
I’ll leave you with configured docker containers, detection mechanisms, and full instructions on how to emulate and detect this attack within your own environment.
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
APIs are a foundational innovation in today’s app-driven world - and increasingly becoming the main target for attackers. How do you protect yourself? Matt Tesauro, Distinguished Engineer, will walk you through how attackers use techniques like broken object level authorization (BOLA) attacks against an API, and how attackers gain access to critical data. Understand how attackers find and exploit vulnerabilities so you can gain insight into why many traditional security approaches fail against a modern API attack. Lastly, discover what this same hack looks like on the defender’s side so you can proactively secure your APIs enabling your dev teams to go fast without breaking things.
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
File upload vulnerabilities are a devastating category of web application vulnerabilities. Without secure coding and configuration, an attacker can quickly compromise an affected system.
This presentation will discuss types, how to discover, exploit, and how to mitigate file upload vulnerabilities.
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Log4j? Log4Shell? I feel like I’ve heard those terms before… Perhaps you were so bogged down with remediation and incident response that you didn’t get the necessary time to research and understand the full scope of what happened.
In this hands-on talk, we’ll walk through how the vulnerability is exploited and what part it plays in the attack chain. You’ll have an opportunity to emulate the attack or follow along as I demonstrate the attack and various open-source detection methods.
This talk takes a purple team approach by discussing the defender’s and attacker’s infrastructure, attack execution, and how to analyze the traffic for identification and detection.
We’ll finish up by discussing the aftermath of attacks seen in the wild, current APT approaches to this vulnerability, and address any security concerns that remain.
I’ll leave you with configured docker containers, detection mechanisms, and full instructions on how to emulate and detect this attack within your own environment.
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
APIs are a foundational innovation in today’s app-driven world - and increasingly becoming the main target for attackers. How do you protect yourself? Matt Tesauro, Distinguished Engineer, will walk you through how attackers use techniques like broken object level authorization (BOLA) attacks against an API, and how attackers gain access to critical data. Understand how attackers find and exploit vulnerabilities so you can gain insight into why many traditional security approaches fail against a modern API attack. Lastly, discover what this same hack looks like on the defender’s side so you can proactively secure your APIs enabling your dev teams to go fast without breaking things.
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
File upload vulnerabilities are a devastating category of web application vulnerabilities. Without secure coding and configuration, an attacker can quickly compromise an affected system.
This presentation will discuss types, how to discover, exploit, and how to mitigate file upload vulnerabilities.
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
Slides of the talk presented in the Hackers to Hackers Conference 2017 (H2HC 2017)
This talk discussed (a little bit deep) the root cause of these vulnerabilities in the context of the JVM
Slides for my webinar "API Security Fundamentals". They cover
👉 𝐎𝐖𝐀𝐒𝐏’𝐬 𝐭𝐨𝐩 𝟏𝟎 API security vulnerabilities with suggestions on how to avoid them, including the 2019 and the 2023 versions.
👉 API authorization and authentication using 𝐎𝐀𝐮𝐭𝐡 and 𝐎𝐈𝐃𝐂
👉 How certain 𝐀𝐏𝐈 𝐝𝐞𝐬𝐢𝐠𝐧𝐬 expose vulnerabilities and how to prevent them
👉 APIs sit within a wider system and therefore API security requires a 𝐡𝐨𝐥𝐢𝐬𝐭𝐢𝐜 𝐚𝐩𝐩𝐫𝐨𝐚𝐜𝐡. I’ll talk about elements “around the API” that also need to be protected
👉 automating API 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐞𝐬𝐭𝐢𝐧𝐠
API Security - Everything You Need to Know To Protect Your APIsAaronLieberman5
With more APIs in circulation than ever before, there has been a direct correlation to the number of API abuses reported across industries. This is because APIs are such a valuable asset to bad actors, but many organizations have not yet woken up to the realities of the need to protect their APIs from abuse. If you couple that with the fact that attacks on APIs have become more sophisticated, with some attackers even using AI themselves, then you can see why even some of the more security-conscious organizations can have trouble properly securing their APIs.
A robust API Security posture can be broken down into several areas including:
Proper design and coding during the development process
API governance and compliance through visibility of all your APIs (shadow too!) and a mapping of how they connect to each other.
General application and API protection from tools such as API gateways, WAFs, NG-WAF, and RASPS
An always-updating understanding of your user behaviors regarding your APIs.
You won’t have comprehensive API security without solutions in each of these areas.
We will also discuss:
The roles of API developers, infosec, support, and enterprise architects as it relates to API security
Microservices role in making it difficult to secure your APIs
The importance of inventorying your APIs
How technologies like Traceable can help protect your APIs against advanced attacks
Key takeaways:
Why your API's are a key attack surface for modern bad actors
Why APi's are so much harder to secure than traditional web traffic
What's necessary to secure your APIs
Why yesterday's solutions can't solve today's new API security challenges
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
Web-App Remote Code Execution Via Scripting Engines by Rahul Sasi at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Is your code secure? Do you know what are the practices in secure code review? In this talk you will see the important aspects of the various controls to build a reference when conducting secure code reviews in PHP.
The security of an application is a continuous struggle between solid proactive controls and quality in SDLC versus human weakness and resource restrictions. As the pentester's experience confirms, unfortunatelly even in high-risk (e.g. banking) applications, developed by recognized vendors, the latter often wins - and we end up with critical vulnerabilities.
One of the primary reasons is lack of mechanisms enforcing secure code by default, as opposed to manual adding security per each function. Whenever the secure configuration is not default, there will almost inevitably be bugs, especially in complex systems.
I will pinpoint what should be taken into consideration in the architecture and design process of the application. I will show solutions that impose security in ways difficult to circumvent unintentionally by creative developers. I will also share with the audience the pentester's (=attacker's) perspective, and a few clever tricks that made the pentest
(=attack) painful, or just rendered the scenarios irrelevant.
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
Cryptography for Java Developers
Hashes, MAC, Key Derivation, Encrypting Passwords, Symmetric Ciphers & AES, Digital Signatures & ECDSA
About the Speaker
What is Cryptography?
Cryptography in Java – APIs and Libraries
Hashes, MAC Codes and Key Derivation (KDF)
Encrypting Passwords: from Plaintext to Argon2
Symmetric Encryption: AES (KDF + Block Modes + IV + MAC)
Digital Signatures, Elliptic Curves, ECDSA, EdDSA
Live demos and code examples: https://github.com/nakov/Java-Cryptography-Examples
Video (in Bulgarian language): https://youtu.be/ZG3BLXWVwJM
Blog: https://nakov.com/blog/2019/01/26/cryptography-for-java-developers-nakov-at-jprofessionals-jan-2019/
This talk introduces Spring's REST stack - Spring MVC, Spring HATEOAS, Spring Data REST, Spring Security OAuth and Spring Social - while refining an API to move higher up the Richardson maturity model
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
Slides of the talk presented in the Hackers to Hackers Conference 2017 (H2HC 2017)
This talk discussed (a little bit deep) the root cause of these vulnerabilities in the context of the JVM
Slides for my webinar "API Security Fundamentals". They cover
👉 𝐎𝐖𝐀𝐒𝐏’𝐬 𝐭𝐨𝐩 𝟏𝟎 API security vulnerabilities with suggestions on how to avoid them, including the 2019 and the 2023 versions.
👉 API authorization and authentication using 𝐎𝐀𝐮𝐭𝐡 and 𝐎𝐈𝐃𝐂
👉 How certain 𝐀𝐏𝐈 𝐝𝐞𝐬𝐢𝐠𝐧𝐬 expose vulnerabilities and how to prevent them
👉 APIs sit within a wider system and therefore API security requires a 𝐡𝐨𝐥𝐢𝐬𝐭𝐢𝐜 𝐚𝐩𝐩𝐫𝐨𝐚𝐜𝐡. I’ll talk about elements “around the API” that also need to be protected
👉 automating API 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐞𝐬𝐭𝐢𝐧𝐠
API Security - Everything You Need to Know To Protect Your APIsAaronLieberman5
With more APIs in circulation than ever before, there has been a direct correlation to the number of API abuses reported across industries. This is because APIs are such a valuable asset to bad actors, but many organizations have not yet woken up to the realities of the need to protect their APIs from abuse. If you couple that with the fact that attacks on APIs have become more sophisticated, with some attackers even using AI themselves, then you can see why even some of the more security-conscious organizations can have trouble properly securing their APIs.
A robust API Security posture can be broken down into several areas including:
Proper design and coding during the development process
API governance and compliance through visibility of all your APIs (shadow too!) and a mapping of how they connect to each other.
General application and API protection from tools such as API gateways, WAFs, NG-WAF, and RASPS
An always-updating understanding of your user behaviors regarding your APIs.
You won’t have comprehensive API security without solutions in each of these areas.
We will also discuss:
The roles of API developers, infosec, support, and enterprise architects as it relates to API security
Microservices role in making it difficult to secure your APIs
The importance of inventorying your APIs
How technologies like Traceable can help protect your APIs against advanced attacks
Key takeaways:
Why your API's are a key attack surface for modern bad actors
Why APi's are so much harder to secure than traditional web traffic
What's necessary to secure your APIs
Why yesterday's solutions can't solve today's new API security challenges
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
Web-App Remote Code Execution Via Scripting Engines by Rahul Sasi at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Is your code secure? Do you know what are the practices in secure code review? In this talk you will see the important aspects of the various controls to build a reference when conducting secure code reviews in PHP.
The security of an application is a continuous struggle between solid proactive controls and quality in SDLC versus human weakness and resource restrictions. As the pentester's experience confirms, unfortunatelly even in high-risk (e.g. banking) applications, developed by recognized vendors, the latter often wins - and we end up with critical vulnerabilities.
One of the primary reasons is lack of mechanisms enforcing secure code by default, as opposed to manual adding security per each function. Whenever the secure configuration is not default, there will almost inevitably be bugs, especially in complex systems.
I will pinpoint what should be taken into consideration in the architecture and design process of the application. I will show solutions that impose security in ways difficult to circumvent unintentionally by creative developers. I will also share with the audience the pentester's (=attacker's) perspective, and a few clever tricks that made the pentest
(=attack) painful, or just rendered the scenarios irrelevant.
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
Cryptography for Java Developers
Hashes, MAC, Key Derivation, Encrypting Passwords, Symmetric Ciphers & AES, Digital Signatures & ECDSA
About the Speaker
What is Cryptography?
Cryptography in Java – APIs and Libraries
Hashes, MAC Codes and Key Derivation (KDF)
Encrypting Passwords: from Plaintext to Argon2
Symmetric Encryption: AES (KDF + Block Modes + IV + MAC)
Digital Signatures, Elliptic Curves, ECDSA, EdDSA
Live demos and code examples: https://github.com/nakov/Java-Cryptography-Examples
Video (in Bulgarian language): https://youtu.be/ZG3BLXWVwJM
Blog: https://nakov.com/blog/2019/01/26/cryptography-for-java-developers-nakov-at-jprofessionals-jan-2019/
This talk introduces Spring's REST stack - Spring MVC, Spring HATEOAS, Spring Data REST, Spring Security OAuth and Spring Social - while refining an API to move higher up the Richardson maturity model
This talk presents a brief overview of Use-after-Free vulnerability and corresponding exploitation techniques for Internet Explorer (IE), followed by description of memory protection schemes implemented in newer versions of IE in order to mitigate exploitation of such vulnerabilities.
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
The best way to enable developers to create secure applications is to “shift left” in security. That means providing developers with the tools and techniques that help build more secure applications from the get-go. Developers may get security controls into their applications in different ways. They may write them from scratch following security training or guidance, they may use open source libraries, or they may use frameworks that have the security features built in already. In this talk we explore JavaScript applications that use different types of security controls implemented at levels ranging from developer code, to libraries and plugins, to different frameworks, and analyze which applications actually turn out to be more secure. This work is based on analysis of over 500 open source JavaScript applications on GitHub that use client-side frameworks and template engines to prevent XSS, as well as server-side frameworks (Express, Koa, Hapi, Sails, Meteor) and CSRF prevention mechanisms. In conclusion, we provide data-driven recommendations for framework maintainers and application developers on how to develop and choose a framework that will actually make applications more secure.
This presentation will provide a high level overview of the current role that desktop applications play in enterprise environments, and the general risks associated with different deployment models. It will also cover common methodologies, techniques, and tools used to identify vulnerabilities in typical desktop application implementations. Although there will be some technical content. The discussion should be interesting and accessible to both operational and management levels.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Amazon Web Services
Building and deploying serverless applications introduces new challenges for developers whose development workflows are optimized for traditional VM-based applications. In this session, we discuss a method for automating the deployment of serverless applications running on AWS Lambda. We first cover how you can model and express serverless applications using the open-source AWS Serverless Application Model (AWS SAM). Then, we discuss how you can use CI/CD tooling from AWS CodePipeline and AWS CodeBuild, and how to bootstrap the entire toolset using AWS CodeStar. We will also cover best practices to embed in your deployment workflow specific to serverless applications.
You will also hear from iRobot about its approach to serverless deployment. iRobot will share how it achieves coordinated deployments of microservices, maintains long-lived and/or separately-managed resources (like databases), and red/black deployments.
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
When dealing with modern JavaScript applications, many penetration testers approach from an ‘out-side-in’ perspective, this is approach often misses security issues in plain sight. This talk will attempt to demystify common JavaScript issues which should be better understood/identified during security reviews. We will discuss reviewing applications in code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.
Backbonification for dummies - Arrrrug 10/1/2012Dimitri de Putte
This presentation was given on the Arrrrug meeting as a first introduction to backbone.js in combination with rails after playing a couple of weeks with backbone.js.
Note: It is really on introduction level, in the meantime, my level of backbone.js and coffeescript have increased.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Why React Native as a Strategic Advantage for Startup Innovation.pdfayushiqss
Do you know that React Native is being increasingly adopted by startups as well as big companies in the mobile app development industry? Big names like Facebook, Instagram, and Pinterest have already integrated this robust open-source framework.
In fact, according to a report by Statista, the number of React Native developers has been steadily increasing over the years, reaching an estimated 1.9 million by the end of 2024. This means that the demand for this framework in the job market has been growing making it a valuable skill.
But what makes React Native so popular for mobile application development? It offers excellent cross-platform capabilities among other benefits. This way, with React Native, developers can write code once and run it on both iOS and Android devices thus saving time and resources leading to shorter development cycles hence faster time-to-market for your app.
Let’s take the example of a startup, which wanted to release their app on both iOS and Android at once. Through the use of React Native they managed to create an app and bring it into the market within a very short period. This helped them gain an advantage over their competitors because they had access to a large user base who were able to generate revenue quickly for them.
Modern design is crucial in today's digital environment, and this is especially true for SharePoint intranets. The design of these digital hubs is critical to user engagement and productivity enhancement. They are the cornerstone of internal collaboration and interaction within enterprises.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
2. • Released to the world as ‘extracted’ from BaseCamp
(37Signals) by @dhh during July 2004.
• Merged with Merb Project during December 2008 and Rails
3.0 was released.
• Two supported branch of development currently:
– Rails 3.x
– Rails 4.x
7. RoR: Web Blog Example
Our Blog is a web application where one or more Users
can self-register and sign-in using their registered
credentials.
Upon sign-in each User should be able to publish Blog
Post that is visible to any user or visitor of the portal.
Any User or Visitor of the portal should optionally
Comment on any Blog Post.
15. Learning Ruby on Rails
• Ruby on Rails Official Guide
– http://guides.rubyonrails.org/
• Agile Web Development with Rails
– http://pragprog.com/book/rails4/agile-web-development-with-rails
• Ruby on Rails Podcasts
– http://podcast.rubyonrails.org/
• Rails Code School
– https://www.codeschool.com/courses/rails-for-zombies-redux
• Rails Cast
– http://railscasts.com/
16. Breaking Ruby on Rails Applications
Image (Karate) by Nicholas Riggle from The Noun Project CC By 2.0
17. Penetration Testing Rails App
• Black/Gray Box Approach
– Conventional Testing
– Fingerprinting Rails Framework
– Rails specific Vulnerability Testing
– Rails specific Weakness Testing
• White Box Approach
– Automated Scan for known Vulnerabilities
• Brakeman
– Attack Surface enumeration through Routes
– Authentication & Authorization Testing
– Common Rails information disclosures (secret_token.rb)
– Model Attributes Security
– Custom/Unconventional SQL Queries Audit
– Responsive View Audit
18. Fingerprinting Rails Applications
• No generic and definitive technique!
– It’s a cat & mouse game really.
• Heuristics
– Session Identifier
– Asset Pipeline
– [ … ]
24. Attack Surface: Routes
• Default Routing
– <Resource> is handled by app/controllers/<resources>_controller.rb
– CRUD on Resource
25. Session Security
• A whole set of attacks are possible on Session
Management functionality of any Web
Application.
– Session Hijack, Session Fixation, Session Id Prediction, Session
Data Tampering, Leveraging Session Data for RCE etc.
• Rails provide inbuilt Session Management
– The session object is available to application
developer as a Hash/Map to store arbitrary data.
– The session object is serialized and stored in
corresponding session storage as per configuration.
– Signed cookie is used for session storage by default.
27. Session Security: Best Practices
Enforce SSL in order to avoid sniffing of session id
Re-generate session after authentication to avoid session fixation
Store session in database instead of Cookie which is default
Cookie based Session Store are susceptible to Replay Attacks
28. Authentication
• Multiple Popular Authentication Plugin
– Devise
– RESTful Authentication
– […]
• Devise
– Auto-generated Registration, Confirmation, Login,
Forgot Password etc.
– Controller filter for enforcing authentication.
29. Testing Authentication
• Generic Issues
– Weak Session Management
– Weak Authentication Enforcement
– Weak Password Encryption
• Plugin/Gem Specific
– Devise Vulnerabilities
– Lack of Authentication Enforcement
– Timing Attacks
– Information Gathering through default message
Are all controllers protected by Authentication System?
30. Authorization
• Not provided by default in the framework.
– Encourages RESTful design.
• Easy to implement RBAC on Resources
– Multiple Gem/Plugin available
Example usage of CanCan for Authorization
https://github.com/ryanb/cancan
32. Rails CSRF Protection
CSRF Token generation and checking is enforced by default.
• Application must use Rails Form Tag Helps to
generate forms rather than HTML directly.
• HTTP GET is not protected !
34. Rails Model Security
• The Business Logic Layer
– Database Abstraction through ORM
– Entity Relationship Definition
– Business Logic
• Common Security Issues
– Attribute Mass Assignment
• Mitigated by default in newer version of Rails
– Custom (insecure) SQL Queries
– Business Logic Vulnerabilities
37. Rails Model: Insecure SQL Queries
The application developer should ensure that the Query Interface
understand the difference between Query and Data.
38. Rails Model: SQL Injection Vectors
• ActiveRecord does not escape parameters for
certain options:
Source: http://rails-sqli.org/
39. View Rendering
• Dynamic parameters are encoded by default
unless explicitly marked as safe.
• There are scope for Reflected XSS
– Strings marked explicitly with html_safe method.
– Textile/Markdown Injection
– Insecure used of content_tag
40. Secure Headers
• Rails 3.x is vulnerable to Clickjacking & UI
Redressing Type of attacks in default
configuration.
– Easy Mitigation
• gem ‘secureheaders’ in Gemfile
– https://github.com/twitter/secureheaders