PHP is the most commonly used server-side programming and deployed more than 80% in web server all over the world. However, PHP is a 'grown' language rather than deliberately engineered, making writing insecure PHP applications far too easy and common. If you want to use PHP securely, then you should be aware of all its pitfalls.
Code review is, hopefully, part of regular development practices for any organization. Adding security elements to code review can be the most effective measure in preventing vulnerabilities, very early in the development lifecycle, even before the first commit. This is an interactive presentation which will contain the basic elements to get you started. The audience will help review more than a dozen software examples in order to figure out the good from the ugly. The software examples are based on OWASP Top 10 and SANS Top 25 favourites such as Injection, Memory Flaws, Sensitive Data Exposure, Cross-Site Scripting and Broken Access Control.
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Code review is, hopefully, part of regular development practices for any organization. Adding security elements to code review can be the most effective measure in preventing vulnerabilities, very early in the development lifecycle, even before the first commit. This is an interactive presentation which will contain the basic elements to get you started. The audience will help review more than a dozen software examples in order to figure out the good from the ugly. The software examples are based on OWASP Top 10 and SANS Top 25 favourites such as Injection, Memory Flaws, Sensitive Data Exposure, Cross-Site Scripting and Broken Access Control.
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Slides for my webinar "API Security Fundamentals". They cover
👉 𝐎𝐖𝐀𝐒𝐏’𝐬 𝐭𝐨𝐩 𝟏𝟎 API security vulnerabilities with suggestions on how to avoid them, including the 2019 and the 2023 versions.
👉 API authorization and authentication using 𝐎𝐀𝐮𝐭𝐡 and 𝐎𝐈𝐃𝐂
👉 How certain 𝐀𝐏𝐈 𝐝𝐞𝐬𝐢𝐠𝐧𝐬 expose vulnerabilities and how to prevent them
👉 APIs sit within a wider system and therefore API security requires a 𝐡𝐨𝐥𝐢𝐬𝐭𝐢𝐜 𝐚𝐩𝐩𝐫𝐨𝐚𝐜𝐡. I’ll talk about elements “around the API” that also need to be protected
👉 automating API 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐞𝐬𝐭𝐢𝐧𝐠
Talk about how to design code that helps one to avoid some of the issues identified on OWASP top 10. Domain Driven Security is one of the main tools to achieve this.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Introduction to Web Application Penetration TestingNetsparker
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser.
AnyID is the infrastructure of Thailand's National e-Payment Initiative. The presentation explains National e-Payment big picture, AnyID as a payment Infrastructure, AnyID security design & implementation and also privacy comparison between “With” and “Without” AnyID.
Securing the organization from cyber crimes cannot be done only by the perimeter defense. One of the most important knowledge is to understand the cyber criminal operations. This presentation explain about 2 common operations those can be found all over the internet and how to defense.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Slides for my webinar "API Security Fundamentals". They cover
👉 𝐎𝐖𝐀𝐒𝐏’𝐬 𝐭𝐨𝐩 𝟏𝟎 API security vulnerabilities with suggestions on how to avoid them, including the 2019 and the 2023 versions.
👉 API authorization and authentication using 𝐎𝐀𝐮𝐭𝐡 and 𝐎𝐈𝐃𝐂
👉 How certain 𝐀𝐏𝐈 𝐝𝐞𝐬𝐢𝐠𝐧𝐬 expose vulnerabilities and how to prevent them
👉 APIs sit within a wider system and therefore API security requires a 𝐡𝐨𝐥𝐢𝐬𝐭𝐢𝐜 𝐚𝐩𝐩𝐫𝐨𝐚𝐜𝐡. I’ll talk about elements “around the API” that also need to be protected
👉 automating API 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐞𝐬𝐭𝐢𝐧𝐠
Talk about how to design code that helps one to avoid some of the issues identified on OWASP top 10. Domain Driven Security is one of the main tools to achieve this.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Introduction to Web Application Penetration TestingNetsparker
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser.
AnyID is the infrastructure of Thailand's National e-Payment Initiative. The presentation explains National e-Payment big picture, AnyID as a payment Infrastructure, AnyID security design & implementation and also privacy comparison between “With” and “Without” AnyID.
Securing the organization from cyber crimes cannot be done only by the perimeter defense. One of the most important knowledge is to understand the cyber criminal operations. This presentation explain about 2 common operations those can be found all over the internet and how to defense.
I started working at Kiatnakin Bank PLC as Head of IT Security in 2014 and introduced secure software development to the firm. So I want to share my experience how my bank adopts secure software development successfully. I wish this could be the example to other organizations using to make secure software process for their own.
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
This presentation explain how to discover this vulnerability in application, how to test and how to mitigate the risk.
Logs from machines can tell security incidents but how can they be managed and analyzed properly. This presentation lays foundation of Big Data analytics using information security scenarios for example and also states the practical analytics from my experience.
This slide was presented in MiSSConf(SP1) June 18, 2016
For more than a decade, organizations trust in network perimeter protection such as firewalls or intrusion prevention systems to protect their IT infrastructures from the internet threats. However, traditional network security protection may not be sufficient to safeguard from the new threats targetting security flaws in web servers and web applications. In order to defend the threats related to these services and applications, it is essential to understand the risks commonly found in web applications.
This presentation explains the needs of application security as the last line of defense, common web application risks and security measures need to be implemented alongside the development of web applications.
The OWASP Top Ten Proactive Controls 2016 is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control #1 being the most important. This presentation is the second part which contains control #5 to #10 in the following controls
C5: Implement Identity and Authentication Controls
C6: Implement Appropriate Access Controls
C7: Protect Data
C8: Implement Logging and Intrusion Detection
C9: Leverage Security Frameworks and Libraries
C10: Error and Exception Handling
AnyID is the infrastructure of Thailand's National E-Payment Initiative. The presentation explains AnyID flows and information security implementation.
The most massive crime of identity theft in history was perpetrated in 2007 by exploiting an SQL Injection vulnerability. This issue is one of the most common and most serious threats to web application security. In this presentation, you'll see some common myths busted and you'll get a better understanding of defending against SQL injection.
Tijdens deze workshop leren we software developers hoe ze veilige software kunnen opleveren door gebruik te maken van secure coding technieken. Veilige software verlaagt het aantal security incidenten sterk!
Hacking Your Way to Better Security - PHP South Africa 2016Colin O'Dell
This talk educates developers on common security vulnerabilities, how they are exploited, and how to protect against them. We'll explore several of the OWASP Top 10 attack vectors like SQL injection, XSS, CSRF, and more. Each topic will be approached from the perspective of an attacker to see how these vulnerabilities are detected and exploited using several realistic examples. We'll then apply this knowledge to see how web applications can be secured against such vulnerabilities.
This presentation contains the list of top 10 bad practices those lead to security problems in MY opinion according to code reviews. Those practices are
“eval” Function,
Ignore Exception,
Throw Generic Exception,
Expose Sensitive Data or Debug Statement,
Compare Floating Point with Normal Operator,
Not validate Input,
Dereference to Null Object,
Not Use Parameterized Query,
Hard-Coded Credentials,
Back-Door or Secret Page
Accelerate your business and reduce cost with OpenStackOpsta
OpenStack is a open source software for creating private and public clouds that coordinated collection of software from a few dozen related projects. This presentation give you an introduction about OpenStack and how OpenStack can help your business move faster and reduce cost.
CloudTalk #17 at AIA Tower on March 16, 2017
Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers.
In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.
Business continuity and disaster recovery are not the same but complement each other. Planning on BCP and DRP is necessary for all business. This slide contains information on how to achieve and maintain them.
Table Of Content
The OWASP Top Ten
Invalidated Redirect and Forwards
Security Misconfiguration
Application Fingerprint
Error handling And Logging
Noise
PHP Guidelines
Custom, in depth 5 day PHP course I put together in 2014. I'm available to deliver this training in person at your offices - contact me at rich@quicloud.com for rate quotes.
PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language. As of January 2013, PHP was installed on more than 240 million websites (39% of those sampled) and 2.1 million web servers.[4] Originally created by Rasmus Lerdorf in 1994,[5] the reference implementation of PHP (powered by the Zend Engine) is now produced by The PHP Group.[6] While PHP originally stood for Personal Home Page,[5] it now stands for PHP: Hypertext Preprocessor, which is a recursive backronym
Biometric authentication is a method of verifying a user's identity based on their physical characteristics, such as fingerprints, facial recognition, or voice recognition. It is becoming increasingly popular as a more secure alternative to passwords. However, there are some limitations to biometric authentication that should be considered. While biometrics can be very accurate, they are not foolproof. For example, fingerprints can be lifted and used to create fake prints, and facial recognition can be fooled by masks or makeup. Additionally, biometrics can be expensive to implement and maintain.
Based on NIST SP800-63B, this presentation will explain the limitations and the recommendations on biometric authentication. These recommendations are designed to help organizations choose and implement biometric authentication systems in a way that is secure and effective.
Security shifting left addressed earlier security concerns in the software development life-cycle (that is, left in a left-to-right schedule diagram). The question is "Are the security concerns in software development life-cycle sufficient?". This presentation will introduce "Shifting Leftmost in Security" which focusing in Security Architecture. Software implementation in medium and large enterprise environments requires well defined architecture especially in security requirements. The scope in this presentation will cover secure application infrastructure and secure application design.
Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application.
In software development, many security designs are needed to fulfill both functional and non-functional requirement. However, it is hard to design some specific security requirements properly because some security domains are not easy to understand. Using security patterns can reduce the complexity of the designs especially the widely used patterns.
This presentation will talk about what are security patterns, their values and how they have been used in software development with some examples in two security domains. One domain is cryptography and another is access control domain.
During COVID-19 pandemic, staying home is one of the key factors to save lives in the way of Social Distancing. However it is not so easy to move most of the employees in the large enterprise which does not always on the Internet like banking sector to work from home without well-planned architecture. This presentation is talking about security architecture that my company chosen to build on in the environment of multi-cloud architecture and how 60% of employees can work from home with this security architecture.
This presentation was presented in OWASP Thailand Chapter Meeting 5/2019 (July 25). It is about how to design data architecture and secure software in order to protect organization from regulation's penalty causes by data breach. However, this slide is still incomplete and need more clarification, so it would be useful for those attended the meeting. Be careful for distribution.
Blockchain technology is a distributed ledger platform that provides open and transparent transaction information with integrity and non-repudiation based on modern cryptography. It is also the technology behind many cryptocurrencies. This presentation will give fundamental knowledge on how blockchain works, its cryptography implementation, cryptocurrency definition and related terms and also blockchain use cases.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Thailand's National Digital ID Platform is an infrastructure for connecting all parties such as Relying Parties, Identity Provider,s Authoritative Sources and users to do authentication, consent, identify or sign electronically. This presentation update the progress of the technical team as of November 27, 2017
The growth of embedded systems connecting to the Internet or "Internet of Things" (IoT) increases year by year. Thus, the IoT ecosystems become new targets of the attackers. This presentation will talk about the basic principle of information security, why we need to secure IoT ecosystems, and also the vulnerabilities and solutions from OWASP.
Nowaday, embedded systems are widely used and connected to networks, especially the Internet. This become the Internet of Things (IoT) era. When a device is on the Internet, it may be attacked or intentionally used by an unauthorized persons. How can we make IoT devices secure under the limited resources?
This presentation will explain the lesson learned from banking and card payment industry how the embedded systems process financial transaction reliably and securely.
Hardware Security Modules (HSMs) are widely use for cryptography key management in many areas such as PKI, card payment, trusted platform modules, etc. However they are rarely used in in-house software development.
This presentation will explain about why we need the key management and its fundamental, overview of HSM and how it take parts in key management, HSM selection criterias, and finally, an idea to make a web service wrapper easier to adopt by developers those lack of knowledge in cryptography programming.
This presentation is the overview of OWASP Application Security Verification Standard Project (ASVS) V3.0.1, presented in Thailand Cybersecurity Week arranged by ETDA on Jun 26, 2017
Software security covers from requirement, design, implementation, testing, deployment to security monitoring. However, coding practices during implementation are also essential part of software security. This presentation explain about fundamental of software security and top 5 coding security practices those will reduce software vulnerability drastically.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
2. WhoAmI
• Lazy Blogger
– Japan, Security, FOSS, Politics, Christian
– http://narudomr.blogspot.com
• Food Mania
– Steak, Yakiniku, BBQ
– Sushi (especially Otoro)
– All Kinds of Noodle
• 16 Years In PHP Coding, Since v4.0
(3rd fluent programming language next to C & C++)
• Consultant for OWASP Thailand Chapter
• Head of IT Security & Solution Architecture,
Kiatnakin Bank PLC (KKP)
5. Usage of Server-Side Programming
Languages for Websites
PHP
ASP.NET
Java
Static Files
Cold Fusion
Ruby
Perl
JavaScript
Python
Erlang
0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0% 90.0%
81.9%
15.7%
2.9%
1.5%
0.7%
0.6%
0.4%
0.3%
0.2%
0.1%
W3Techs.com, 11 September 2016
6. Web Apps in PHP are Most Vulnerable
• 86% of applications written in PHP contained at
least one cross-site scripting (XSS) vulnerability.
• 56% of apps included SQLi (SQL injection),
which is one of the dangerous and easy-to-
exploit web application vulnerabilities.
• 67% of apps allowed for directory traversal.
• 61% of apps allowed for code injection.
• 58% of apps had problems with credentials
management
• 73% of apps contained cryptographic issues.
• http://thehackernews.com/2015/12/programming-language-security.html
7. PHP Characteristics
• Unusual → Language + Web Framework
• A large community of libraries that
contribute to programming in PHP
• All three aspects (language, framework,
and libraries) need to be taken into
consideration when trying to secure a PHP
site
8. Language Issues
• Weak typing
• Exceptions and error handling
• php.ini
• Unhelpful builtins
9. Language Issue: Weak Typing
• PHP will automatically convert data of an incorrect
type into the expected type.
$x = 1 + "1"; // x is 2
• Leads to bugs, injections and vulnerabilities if
improperly handles
• Try to use functions and operators that do not do
implicit type conversions (e.g. === and not ==) but
not all operators have strict version (such as < or >)
• Many built-in functions (like in_array) use weakly
typed comparison functions by default, making it
difficult to write correct code.
12. Language Issue:
Exception and Error Handling
• Almost all PHP builtins, and many PHP libraries, do not
use exceptions, but instead report errors then allow the
faulty code to carry on running.
• Many other languages, error conditions that failed to
anticipate will stop running. → Fail Safe
• It is often best to turn up error reporting as high as
possible using the error_reporting function, and never
attempt to suppress error messages — always follow
the warnings and write code that is more robust.
• Try to use set_error_handler function to handle user
defined error handler.
13. Language Issue:
Exception and Error Handling
What is wrong with this code to check blacklist user?
$db = mysqli_connect('localhost', 'dbuser', 'dbpassword', 'dbname');
function can_access_feature($current_user) {
global $db;
$uid = mysqli_real_escape_string($db, $current_user->uid);
$res = mysqli_query($db, "SELECT COUNT(id) FROM blacklist WHERE uid = '$uid';");
$row = mysqli_fetch_array($res);
if ((int)$row[0] > 0) {
return false;
} else {
return true;
}
}
if (!can_access_feature($current_user)) {
exit();
}
// Code for feature here
What happens if db connection is failed?
14. Language Issue: php.ini
• PHP code often depends strongly on the
values of many configuration settings
• Difficult to write code that works correctly in
all circumstances.
• Difficult to correctly use 3rd party code
15. Language Issue: Unhelpful Builtins
• Built-in functions that appear to provide security,
but buggy and hard to handle security problems
– addslashes
– mysql_escape_string
– mysql_real_escape_string
• 'array' data structure
– Extensively used in all PHP code and internally
– Confusing mix between an array and a dictionary
– Cause even experienced PHP developers to
introduce critical security vulnerabilities such as
Drupal SA-CORE-2014-005 (CVE-2014-3704)
16. Framework Issues
• URL Routing: “.php” or not
• Input Handling
– Instead of treating HTTP input as simple strings,
PHP will build arrays from HTTP input
• Template Language
– However, it doesn't do HTML escaping by default
– Lead to Cross-Site Scripting
• Other Inadequacies
– No CSRF protection mechanism
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#Framework_issues
17. Input Handling Example
$supplied_nonce = $_GET['nonce'];
$correct_nonce = get_correct_value_somehow();
if (strcmp($supplied_nonce, $correct_nonce) == 0) {
// Go ahead and reset the password
} else {
echo 'Sorry, incorrect link';
}
A password reset code:
If an attacker uses a query string like this:
http://example.com/?nonce[]=a
●
Then $supplied_nonce is an array.
●
The function strcmp() will then return NULL
●
Due to weak typing and the use of the == (equality) operator instead of the
=== (identity) operator, the expression NULL == 0
●
The attacker will be able to reset the password without providing a correct
nonce
19. P1: Remote Code Execution
• Remote Code Execution or Arbitrary Code Execution is the
ability to trigger arbitrary code execution from one machine
on another (especially via a wide-area network such as the
Internet)
• The most widespread PHP security issue since July 2004
• The root causes of this issue are:
– Insufficient validation of user input prior to dynamic file system calls,
such as require or include or fopen()
– allow_url_fopen and PHP wrappers allow this behavior by default,
which is unnecessary for most applications
$handle = fopen("http://www.example.com/", "r");
– Poor permissions and planning by many hosters allowing excessive
default privileges and wide ranging access to what should be off
limits areas.
20. P1: Remote Code Execution (cont’d)
• Version Affected: PHP 4 (after PHP 4.0.4), 5.x
• CVE/CAN Entries: More than 100 such vulnerabilities reported
since July 30, 2004, for examples:
– Magento < 2.0.6 (popular eCommerce platform) Unauthenticated
Remote Code Execution (CVE-2016-4010)
http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-
code-execution/
– Joomla! 1.5.x, 2.x, and 3.x < 3.4.6 allow remote attackers to conduct
PHP object injection attacks and execute arbitrary PHP code via the
HTTP User-Agent header (CVE-2015-8562)
http://www.securityfocus.com/bid/79195
– vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to
conduct PHP object injection attacks and execute arbitrary PHP code
(CVE-2015-7808) http://blog.checkpoint.com/2015/11/05/check-point-
discovers-critical-vbulletin-0-day/
21. How to Determine If You Are Vulnerable
$report = $_POST[‘report_name’];
include $report;
$username = $_POST[‘username’];
eval(“echo $username”);
Inspect your code for constructs like:
or
Other code constructs to look for include:
●
fopen(), fsockopen()
●
Direct command execution - popen(), system(), ` (backtick operator). Allows remote
attackers to execute code on the system without necessarily introducing remote code.
●
Direct PHP code execution via eval()
●
Limited evaluation if the attacker supplied PHP code is then used within double
quotes in the application code – most useful as an information disclosure
●
include, include_once, require, require_once with dynamic inputs
●
file_get_contents()
●
imagecreatefromXXX()
●
mkdir(), unlink() and rmdir() and so on - PHP 5.0 and later has limited support for
some URL wrappers for almost all file functions
22. How to Protect Against Remote Code
Execution
• Developers should
– Review existing code for file operations, include/require, and
eval() statements to ensure that user input is properly validated
prior to first use
– When writing new code, try to limit the use of dynamic inputs
from users to vulnerable functions either directly or via wrappers
• Hosters should:
– Disable allow_url_fopen in php.ini by setting it to 0
– Enable safe_mode and set open_basedir restrictions (if you
know what you're doing - it's not really that safe!)
– Lockdown the server environment to prevent the server from
making new outbound requests
23. P2: Cross-Site Scripting (XSS)
• Cross-site scripting (aka. HTML injection or user agent
injection) can be in three modes
– Reflected: The attacker provides a link or other payload
containing embedded malicious content, which the application
immediately displays back to the victim. This is the primary form
of phishing via e-mail (such as eBay scams, bank scams, etc)
– Persistent: The attacker stores malicious content within a
database, which is then exposed to victims at a later time. This
is the most common form of XSS attack against forum and web
mail software.
– DOM: The attacker uses the victim site’s JavaScript code to
perform reflected XSS. This technique is not widely used as yet,
but it is just as devastating as any form of cross-site scripting.
24. P2: Cross-Site Scripting (XSS) (cont’d)
• Version Affected: All
• CVE/CAN Entries: More than 100 XSS entries since July
2004.
– WordPress ≤ 4.5.2 Unspecified Cross Site Scripting Vulnerability
(CVE-2016-6634) http://www.securityfocus.com/bid/92390
– Joomla! 3.4.x < 3.4.4 allows remote attackers to inject arbitrary
web script or HTML (CVE-2015-6939)
http://www.securitytracker.com/id/1033541
– VBulletin Cross-site scripting
http://www.securityfocus.com/bid/14874
– Coppermine Display Image Cross-site scripting
http://www.securityfocus.com/bid/14625
– WordPress Edit Cross-site Scripting
http://www.securityfocus.com/bid/13664
25. How to Determine If You Are Vulnerable
• Does the application rely upon register_globals to
work? If so, your application is at a slightly higher
risk, particularly if you do not validate input correctly.
• Inspect user input handling code for unsafe inputs:
• If you use Javascript to redirect the user (via
document.location or window.open any similar
means), output to the user via document.write, or
modifies the DOM in any way, you are likely to be at
risk of DOM injection.
echo $_POST[‘input’];
26. How to Protect Against Cross-site
Scripting
• Turn off register_globals and ensure all variables are properly
initialized
• Obtain user input directly from the correct location ($_POST,
$_GET, etc) rather than relying on register_globals or the request
object ($_REQUEST)
• Validate input properly for type, length, and syntax
• Free text input can only be safely re-displayed to the user after
using HTML entities (htmlentities() function)
• Variables sent back to the user via URLs must be URL encoded
using urlencode()
• Validate JavaScript code against Klein’s DOM Injection paper
(http://crypto.stanford.edu/cs155/CSS.pdf) to ensure that they are
immune from DOM injection attacks
–
•
27. P3: SQL Injection
• A SQL injection attack consists of insertion or
"injection" of a SQL query via the input data from the
client to the application.
• SQL injection exploits can read sensitive data, modify,
execute administration operations and in some cases
issue commands to the operating system
• Most of PHP programmers use input parameters as
concatenated strings to SQL statements
$sql = "SELECT * FROM users WHERE username = '" .
$username . "';";
What if $username is '; DROP TABLE users; --
28. P3: SQL Injection (cont’d)
• Version Affected: All
• CVE/CAN Entries: More than 100 CVE / CAN entries from
multiple vendor, for example:
– vBulletin 3.6.x – 4.2.3 allows remote attackers to execute arbitrary
SQL commands via the postids parameter to
forumrunner/request.php (CVE-2016-6195)
https://enumerated.wordpress.com/2016/07/11/1/
– Wordpress < 4.2.4 SQL injection vulnerability (CVE-2015-2213)
https://core.trac.wordpress.org/changeset/33556
– Joomla! 3.x < 3.4.7 allows attackers to execute arbitrary SQL
commands (CVE-2015-8769)
http://www.securityfocus.com/bid/79679
• Bugtraq usually offers up two to three different PHP
applications with SQL injection vulnerabilities per day
29. vBulletin SQL injection CVE-2016-6195
The root of the vulnerability, /forumrunner/includes/moderation.php:
function do_get_spam_data() {
...
$vbulletin->input->clean_array_gpc('r', array(
'threadid' => TYPE_STRING,
'postids' => TYPE_STRING,
));
…
} else if ($vbulletin->GPC['postids'] != ") {
$postids = $vbulletin->GPC['postids'];
$posts = $db->query_read_slave("SELECT post.postid,
post.threadid, post.visible, post.title, post.userid,
thread.forumid, thread.title AS thread_title, thread.postuserid,
thread.visible AS thread_visible, thread.firstpostid FROM " .
TABLE_PREFIX . "post AS post LEFT JOIN " . TABLE_PREFIX .
"thread AS thread USING (threadid) WHERE postid IN ($postids)");
31. How to Determine If You Are Vulnerable
• Find code which calls mysql_query() or similar database
interfaces
• Inspect if any calls create dynamic queries using user input
$query = "SELECT id, name, inserted, size FROM products
WHERE size = '$size'";
$result = odbc_exec($conn, $query);
' union select '1', concat(uname||'-'||passwd) as name,
'1971-01-01', '0' from usertable;
What if $size is
32. How to Protect Against SQL Injection
• Migrate code to PHP 5.1 and use PDO, or if this is not possible, at
least migrate code to safer constructs, such as PEAR::DB’s
parameterized statements or the MySQLi interfaces
• Validate data for correct type, length, and syntax.
• Do not use dynamic table names - escape functions are not designed
for this use and are not safe for this use.
• Use white listing (positive validation) data over black listing, which is
akin to virus patterns – always out of date, and always insufficient
against advanced attacks
• As a last resort, code should be using mysql_real_escape_string()
(but not addslashes() which is insufficient). This provides limited
protection to simple SQL injections.
• Provide a .htaccess file to ensure that register_globals and
magic_quotes are forced off, and that all variables are properly
initialized and validated
33. P4: PHP Configuration
• PHP Configuration has a direct bearing on the severity of
attacks.
• No agreed "secure" PHP configuration
• Arguments for and against the most common security options:
– register_globals (off by default in PHP ≥ 4.2, should be off, REMOVED
as of PHP 5.4.0)
– allow_url_fopen (enabled by default, should be off, available since PHP
4.0.4)
– magic_quotes_gpc (on by default in modern PHP, should be off,
REMOVED as of PHP 5.4.0)
– magic_quotes_runtime (off by default in modern PHP, should be of,
REMOVED as of PHP 5.4.0)
– safe_mode and open_basedir (disabled by default, should be enabled
and correctly configured. Be aware that safe_mode really isn't safe and
can be worse than useless)
34. P5: File System Attacks
• PHP developers have many ways to obviate security on shared hosts
with local file system attacks, particularly in shared environments:
– Local file inclusion (such as /etc/passwd, configuration files, or logs)
– Local session tampering (which is usually in /tmp)
– Local file upload injection (usually part of image attachment handling)
• As most hosters run PHP as “nobody” under Apache, local file
system vulnerabilities affect all users within a single host.
• Version Affected: PHP 3, 4, 5
• CVE/CAN Entries: As there have been many examples over years,
for examples:
– phpMyAdmin Local file exposure, able to exploit the LOAD LOCAL INFILE
functionality to expose files on the server to the database system. (CVE-
2016-6612) https://www.phpmyadmin.net/security/PMASA-2016-35/
– phpMyAdmin Local File Inclusion (CVE-2011-2643)
https://www.phpmyadmin.net/security/PMASA-2011-10/