This document discusses securing web applications in the Web 2.0 era. It begins by explaining what Web 2.0 and AJAX are and how they have introduced new threats compared to traditional web applications. It then outlines various threat vectors against clients, servers, and aggregated content. Tactical security measures are proposed for clients, servers, and aggregation servers. Finally, the document introduces the SecureSpan Data Screen appliance as a specialized infrastructure solution for applying tunable security policies to address the evolving threats of Web 2.0.
The document discusses Spring Framework updates including versions 3.1, 3.2, and 3.3. Key features of Spring 3.1 include environment profiles for activating bean definitions in different environments, Java-based application configuration, and declarative caching. Spring 3.2 will include a Gradle build system and GitHub contributions. Spring 3.3 will add support for Java SE 8 features like lambda expressions and the Java EE 7 API. The document provides code examples of using these new Spring features.
This presentation gives an overview about WSO2's technology platform as of Q2 2009. It gives an update about the ESB, the Web Services Application Server, Business Process Server as well as the re-branded Governance Registry and Identity Server.
Integration of Web Service Stacks in an EsbWen Zhu
This document discusses integrating web services with an enterprise service bus (ESB). It provides background on ESB and web service integration approaches. It then demonstrates integrating different web service stacks like Metro, CXF, and JBossWS with ESB products like OpenESB, ServiceMix, and JBossESB. It discusses challenges like transaction management and separating concerns. The document concludes with a demo of a model-driven architecture approach using standards like SoaML to address technology changes while preserving investments.
Mesh services allow web applications to access a user's social graph and storage from desktop devices through synchronization. The Live framework provides tools and APIs to build, deploy, run, and update these "mesh-enabled" web applications, giving them offline access and the ability to integrate with a user's social activity and connected devices. Updates to mesh applications are automatically synchronized across all user instances for easier management by developers and use by customers.
Best Hosting Services provides a simple and inexpensive hosting solution for MAS 90 and MAS 200 customers, designed specifically for the e-Business Manager module. It handles installation and configuration of the ISAPI plug-in, and allows hosting of images and style sheets through Microsoft FrontPage Server extensions directly from the applications. Customers can get their website up and running quickly with up to 100MB of storage and secure transactions through SSL, avoiding the cost of their own web server infrastructure.
BayThreat Why The Cloud Changes EverythingCloudPassage
Subtitle: How I Learned to Stop Worrying and Get DevOps to Love Security
These slides are from a talk delivered by Rand Wacker at BayThreat 2011.
ABSTRACT: Take a look around, you might be surprised who is running servers in the cloud; you might be even more surprised about what they are running. Unfortunately, these people rarely if ever thought to tell the security teams, and that means big problems for us all. Securing servers in the cloud is different, very different, than in a traditional data center, but all the same risks are there. Lets start by understanding who is using the cloud, why it is so different, and what works and doesn't work from our typical security toolbox. Then lets try to solve some of those problems and come up with some best practices to help us and those we work with do what they need…securely.
The document discusses Spring Framework updates including versions 3.1, 3.2, and 3.3. Key features of Spring 3.1 include environment profiles for activating bean definitions in different environments, Java-based application configuration, and declarative caching. Spring 3.2 will include a Gradle build system and GitHub contributions. Spring 3.3 will add support for Java SE 8 features like lambda expressions and the Java EE 7 API. The document provides code examples of using these new Spring features.
This presentation gives an overview about WSO2's technology platform as of Q2 2009. It gives an update about the ESB, the Web Services Application Server, Business Process Server as well as the re-branded Governance Registry and Identity Server.
Integration of Web Service Stacks in an EsbWen Zhu
This document discusses integrating web services with an enterprise service bus (ESB). It provides background on ESB and web service integration approaches. It then demonstrates integrating different web service stacks like Metro, CXF, and JBossWS with ESB products like OpenESB, ServiceMix, and JBossESB. It discusses challenges like transaction management and separating concerns. The document concludes with a demo of a model-driven architecture approach using standards like SoaML to address technology changes while preserving investments.
Mesh services allow web applications to access a user's social graph and storage from desktop devices through synchronization. The Live framework provides tools and APIs to build, deploy, run, and update these "mesh-enabled" web applications, giving them offline access and the ability to integrate with a user's social activity and connected devices. Updates to mesh applications are automatically synchronized across all user instances for easier management by developers and use by customers.
Best Hosting Services provides a simple and inexpensive hosting solution for MAS 90 and MAS 200 customers, designed specifically for the e-Business Manager module. It handles installation and configuration of the ISAPI plug-in, and allows hosting of images and style sheets through Microsoft FrontPage Server extensions directly from the applications. Customers can get their website up and running quickly with up to 100MB of storage and secure transactions through SSL, avoiding the cost of their own web server infrastructure.
BayThreat Why The Cloud Changes EverythingCloudPassage
Subtitle: How I Learned to Stop Worrying and Get DevOps to Love Security
These slides are from a talk delivered by Rand Wacker at BayThreat 2011.
ABSTRACT: Take a look around, you might be surprised who is running servers in the cloud; you might be even more surprised about what they are running. Unfortunately, these people rarely if ever thought to tell the security teams, and that means big problems for us all. Securing servers in the cloud is different, very different, than in a traditional data center, but all the same risks are there. Lets start by understanding who is using the cloud, why it is so different, and what works and doesn't work from our typical security toolbox. Then lets try to solve some of those problems and come up with some best practices to help us and those we work with do what they need…securely.
The Azure Services Platform provides a set of building blocks and extensible components for developing rich social applications and consumer experiences in the cloud. It includes services for user and application data storage, identity management, presence, communication, search, and more. Developers can access these services through a uniform RESTful programming model and client libraries. The platform also provides capabilities for compute, storage, messaging, access control, workflows, and databases to enable simple and scalable cloud application architectures.
This talk introduces the role that Spring MVC and REST can play as a service-side endpoint model that can be connected to from mobile, rich, and desktop applications.
Resource Oriented Architecture in Wireless Sensor NetworkThomas Pham
This document discusses integrating wireless sensor networks with existing information systems using a resource oriented architecture approach. It presents a project integrating Sun SPOT sensors with an enterprise logistics application using REST web services. The system includes a gateway application that acts as a proxy between the sensor network and enterprise servers. Challenges included lack of TCP/IP on sensors and debugging sensors remotely. Future work may include request buffering and standardizing the JSON structure for sensor resources.
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
The document discusses challenges with traditional fuzzing techniques against modern web applications and architectures. It describes how hidden discovery is needed, such as crawling with tools like Ruby and Watir to detect Ajax calls and hidden entry points. Various techniques for SQL injection and blind SQL injection are presented, such as delaying responses, checking for SQL injection, and using tools like sqlmap and Absinthe to perform database enumeration. The need for new approaches to application security testing is emphasized to effectively discover vulnerabilities in modern web applications and architectures.
Mesh services extend web applications to the desktop by providing access to the live social graph, synchronized storage, and offline access. The Live framework provides tools and APIs to build, deploy, run, and update mesh-enabled web applications. Users are in control of accessing their own data and apps through the applications.
SQLUG event: An evening in the cloud: the old, the new and the big Mike Martin
Belgian SQL UG talk On Windows Azure SQL Database and CO: The last couple of months have been very exciting times for Microsoft fans. With the release of the central flagship, SQL Server 2012, and the new and improved Cloud offering on Windows Azure, Microsoft managed to change the IT Landscape dramatically. During this talk we want to take you through all the SQL Server features in the Windows Azure Environment in either the full cloud spectrum or hybrid scenario’s. We’ll cover subjects like SQL Databases, IaaS, provisioning, integration, migration and touch some of the more computing topics in the Windows Azure when it comes to data. Going from the pure basics of all SQL related to the more advanced stuff you can do with this magnificent cloud platform.
Mike Taulty MIX10 Silverlight 4 Patterns Frameworksukdpe
The document discusses various frameworks and patterns in Silverlight 4, including ASP.NET client application services, WCF data services, WCF RIA services, navigation, search, and extensibility with MEF. It provides an overview and demos of each technology. The presentation encourages attendees to check the schedule for additional in-depth sessions on topics like OData, WCF data services, WCF RIA services, navigation, search engine optimization, and MEF.
Patterns of Cloud Applications Using Microsoft Azure Services PlatformDavid Chou
The document describes Microsoft's Azure Services Platform, which provides IT services through a global network of Microsoft data centers. It offers infrastructure, platform, and private cloud services that are managed at different levels, from fully managed platform services to customer-managed private infrastructure. Key services include compute, data, networking, development platforms, identity management, and more. It also provides high availability, security, and usage-based pricing. The platform supports various application patterns including cloud web applications and composite services applications built with Azure services.
This document summarizes a presentation on hacking Web 2.0 technologies and web services. The presentation discusses security concerns with Ajax, including attacks like cross-site scripting and request forgery. It also covers fingerprinting Ajax frameworks, vulnerabilities in Ajax data structures and serialization, and defenses like validating data and avoiding client-side logic. Regarding web services, the document outlines methods for discovery, profiling, and attacks like injection flaws and insecure direct object references. It emphasizes the need for code analysis and filtering input through an IHTTPModule firewall module.
Transaction-based Capacity Planning for greater IT Reliability™ webinar Metron
Do you need to predict the true impact of business growth for a specific department or product line?
Are you unsure which infrastructure items (servers and their logical software components) are serving which business applications and on which tiers response time for your transactions are taking place?
Now you can get a valuable insight into the performance across all tiers of your enterprise data center environments.
We’ll show you how you can combine business forecast information with infrastructure performance metrics and predict whether you have sufficient capacity to meet the needs of your business at both the component and service levels.
Join us and find out how the combination of Correlsense SharePath and Metron athene® will provide you with a complete Capacity Management solution
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
Browsers are escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3. It is forming the backbone of next generation applications running on mobile, PDA devices or desktops. The blend of DOM (Remote Execution stack) , XHR L2 (Sockets for injections) and HTML5 (Exploit delivery platform) is becoming an easy victim for attackers and worms. We have already witnessed these types of attacks on popular sites like Twitter, Facebook and Yahoo. It is of the essence to understand attack surface and vectors to protect next generation applications. We have an enormous expansion of attack surface after inclusion of features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mouse gesturing, native JSON, Cross Site access controls, offline browsing, etc. This extension of attack surface and exposure of server side APIs allow attacker to perform following lethal attacks and abuses.
XHR abuse with attacking Cross Site access controls using level 2 calls
JSON manipulations and poisoning
DOM API injections and script executions
Abusing HTML5 tag structure and attributes
Localstorage manipulation and foreign site access
Attacking client side sandbox architectures
DOM scrubbing and logical abuse
Browser hijacking and exploitation through advanced DOM features
One-way CSRF and abusing vulnerable sites
DOM event injections and controlling (Clickjacking)
Hacking widgets, mashups and social networking sites
Abusing client side Web 2.0 and RIA libraries
We will be covering the above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across the application base. We will see some new scanning tools and approaches to identify some of these key issues.
This document discusses hacking Web 2.0 technologies and provides an overview of vulnerabilities in Ajax and Web Services. The speaker is Shreeraj Shah, founder of Blueinfy Solutions, who has experience in web security research. The presentation covers trends in Web 2.0 adoption, technologies like Ajax and Web Services, and common attacks such as cross-site scripting and request forgery. It also summarizes methodologies for assessing vulnerabilities, including footprinting, profiling, scanning, and fuzzing, as well as defenses like secure coding practices and firewalls.
This webinar presentation shows you how easy it is to build Series 40 web apps based on templates in Nokia Web Tools 2.0. Tapan Acharya, lead evangelist and consultant with Nokia in Bangalore, describes templates including Multi-view, RSS Feed, Accordion, Carousel, and Tab Control. He presents sample apps and shows you how to use existing templates to localise your apps for languages you choose to support. The knowledge from this webinar will help you to select templates effectively and thus develop Series 40 web apps quickly.
Find me if you can – smart fuzzing and discovery! shreeraj shahowaspindia
This document discusses smart fuzzing and discovery techniques for assessing applications. It begins with an introduction of the speaker and his background in security research. It then covers challenges with traditional fuzzing approaches not working well on modern web 2.0 applications. The document discusses discovery techniques like crawling Ajax sites and enumerating hidden entry points. It also covers different attack vectors and payloads to use like XML, JSON, and different web protocols. The challenges of blind SQL injection and behavioral assessment with artificial intelligence are also mentioned.
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Brian Huff
Using integration options both existing and soon-to-be-released, this talk covers multiple integration options between WebCenter Sites and WebCenter Content (Site Studio)
1. The Java project developed a sales and distribution management system for an enterprise, migrating from a legacy Cobol/CORBA/DB2 system to a new Java/J2EE/Oracle architecture.
2. A quick ship shipment and tracking system for the shipping industry was developed using GWT, Spring, a custom ORM, Oracle RAC, and JBoss with integrated mapping, reporting and tracking features.
3. Both projects improved processes, centralized data access, and increased efficiency through redesigned architectures and user-friendly interfaces.
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3SAP Portal
The document discusses best practices for upgrading a portal to SAP NetWeaver 7.3. It provides an overview of the upgrade process, including preparing the project, upgrading standard and custom portal components, and migrating portal content. Key steps involve using upgrade tools to upgrade the Java application server and portal add-ons, addressing potential issues for custom-developed applications, and transforming portal content and applications to the new WAR file format.
Compliance and Governance Through Complex Entitlement ManagementNoam Bunder
DataScan implemented AquaLogic Enterprise Security (ALES) to manage entitlements and comply with financial regulations. ALES allows DataScan to define security policies centrally and enforce them across applications without modifying code. This improves agility to respond to changing requirements and increases efficiency by removing security logic from applications. DataScan worked with BEA Professional Services on an SOA-based implementation using Java. Ongoing best practices include training IT administrators, integrating prototypes, and focusing on standards-based compliance.
Extend your legacy SOA/ESB infrastructure to Mobile & IoT
This webinar recording provides a use-case driven discussion around appropriate use of existing middleware infrastructure as well as its shortcomings. It dives deep into how APIs can not only complement an ESB or SOA infrastructure but also fill existing gaps.
Watch this webinar recording to learn about:
- Strengths and weaknesses of your existing ESB/SOA infrastructure
- Architecture strategy: extend and add value to legacy middleware with APIs
- Integration / API use cases in Retail, Manufacturing and Telecom
- The API360 approach to digital strategy
The document discusses a presentation about mastering digital channels through APIs. It begins with an agenda that covers the digital world of CMOs/CDOs, companies that are doing it well using APIs, what to do next, and Q&A. It then provides details on the evolution of the digital world from the first generation web to today's SMAC stack challenges. It also discusses how Amazon has mastered digital channels through vision, focus on data and APIs, agility, and persistence in broadening their offerings.
More Related Content
Similar to Layer 7: Securing Web 2.0 - What You Need to Know
The Azure Services Platform provides a set of building blocks and extensible components for developing rich social applications and consumer experiences in the cloud. It includes services for user and application data storage, identity management, presence, communication, search, and more. Developers can access these services through a uniform RESTful programming model and client libraries. The platform also provides capabilities for compute, storage, messaging, access control, workflows, and databases to enable simple and scalable cloud application architectures.
This talk introduces the role that Spring MVC and REST can play as a service-side endpoint model that can be connected to from mobile, rich, and desktop applications.
Resource Oriented Architecture in Wireless Sensor NetworkThomas Pham
This document discusses integrating wireless sensor networks with existing information systems using a resource oriented architecture approach. It presents a project integrating Sun SPOT sensors with an enterprise logistics application using REST web services. The system includes a gateway application that acts as a proxy between the sensor network and enterprise servers. Challenges included lack of TCP/IP on sensors and debugging sensors remotely. Future work may include request buffering and standardizing the JSON structure for sensor resources.
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
The document discusses challenges with traditional fuzzing techniques against modern web applications and architectures. It describes how hidden discovery is needed, such as crawling with tools like Ruby and Watir to detect Ajax calls and hidden entry points. Various techniques for SQL injection and blind SQL injection are presented, such as delaying responses, checking for SQL injection, and using tools like sqlmap and Absinthe to perform database enumeration. The need for new approaches to application security testing is emphasized to effectively discover vulnerabilities in modern web applications and architectures.
Mesh services extend web applications to the desktop by providing access to the live social graph, synchronized storage, and offline access. The Live framework provides tools and APIs to build, deploy, run, and update mesh-enabled web applications. Users are in control of accessing their own data and apps through the applications.
SQLUG event: An evening in the cloud: the old, the new and the big Mike Martin
Belgian SQL UG talk On Windows Azure SQL Database and CO: The last couple of months have been very exciting times for Microsoft fans. With the release of the central flagship, SQL Server 2012, and the new and improved Cloud offering on Windows Azure, Microsoft managed to change the IT Landscape dramatically. During this talk we want to take you through all the SQL Server features in the Windows Azure Environment in either the full cloud spectrum or hybrid scenario’s. We’ll cover subjects like SQL Databases, IaaS, provisioning, integration, migration and touch some of the more computing topics in the Windows Azure when it comes to data. Going from the pure basics of all SQL related to the more advanced stuff you can do with this magnificent cloud platform.
Mike Taulty MIX10 Silverlight 4 Patterns Frameworksukdpe
The document discusses various frameworks and patterns in Silverlight 4, including ASP.NET client application services, WCF data services, WCF RIA services, navigation, search, and extensibility with MEF. It provides an overview and demos of each technology. The presentation encourages attendees to check the schedule for additional in-depth sessions on topics like OData, WCF data services, WCF RIA services, navigation, search engine optimization, and MEF.
Patterns of Cloud Applications Using Microsoft Azure Services PlatformDavid Chou
The document describes Microsoft's Azure Services Platform, which provides IT services through a global network of Microsoft data centers. It offers infrastructure, platform, and private cloud services that are managed at different levels, from fully managed platform services to customer-managed private infrastructure. Key services include compute, data, networking, development platforms, identity management, and more. It also provides high availability, security, and usage-based pricing. The platform supports various application patterns including cloud web applications and composite services applications built with Azure services.
This document summarizes a presentation on hacking Web 2.0 technologies and web services. The presentation discusses security concerns with Ajax, including attacks like cross-site scripting and request forgery. It also covers fingerprinting Ajax frameworks, vulnerabilities in Ajax data structures and serialization, and defenses like validating data and avoiding client-side logic. Regarding web services, the document outlines methods for discovery, profiling, and attacks like injection flaws and insecure direct object references. It emphasizes the need for code analysis and filtering input through an IHTTPModule firewall module.
Transaction-based Capacity Planning for greater IT Reliability™ webinar Metron
Do you need to predict the true impact of business growth for a specific department or product line?
Are you unsure which infrastructure items (servers and their logical software components) are serving which business applications and on which tiers response time for your transactions are taking place?
Now you can get a valuable insight into the performance across all tiers of your enterprise data center environments.
We’ll show you how you can combine business forecast information with infrastructure performance metrics and predict whether you have sufficient capacity to meet the needs of your business at both the component and service levels.
Join us and find out how the combination of Correlsense SharePath and Metron athene® will provide you with a complete Capacity Management solution
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
Browsers are escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3. It is forming the backbone of next generation applications running on mobile, PDA devices or desktops. The blend of DOM (Remote Execution stack) , XHR L2 (Sockets for injections) and HTML5 (Exploit delivery platform) is becoming an easy victim for attackers and worms. We have already witnessed these types of attacks on popular sites like Twitter, Facebook and Yahoo. It is of the essence to understand attack surface and vectors to protect next generation applications. We have an enormous expansion of attack surface after inclusion of features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mouse gesturing, native JSON, Cross Site access controls, offline browsing, etc. This extension of attack surface and exposure of server side APIs allow attacker to perform following lethal attacks and abuses.
XHR abuse with attacking Cross Site access controls using level 2 calls
JSON manipulations and poisoning
DOM API injections and script executions
Abusing HTML5 tag structure and attributes
Localstorage manipulation and foreign site access
Attacking client side sandbox architectures
DOM scrubbing and logical abuse
Browser hijacking and exploitation through advanced DOM features
One-way CSRF and abusing vulnerable sites
DOM event injections and controlling (Clickjacking)
Hacking widgets, mashups and social networking sites
Abusing client side Web 2.0 and RIA libraries
We will be covering the above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across the application base. We will see some new scanning tools and approaches to identify some of these key issues.
This document discusses hacking Web 2.0 technologies and provides an overview of vulnerabilities in Ajax and Web Services. The speaker is Shreeraj Shah, founder of Blueinfy Solutions, who has experience in web security research. The presentation covers trends in Web 2.0 adoption, technologies like Ajax and Web Services, and common attacks such as cross-site scripting and request forgery. It also summarizes methodologies for assessing vulnerabilities, including footprinting, profiling, scanning, and fuzzing, as well as defenses like secure coding practices and firewalls.
This webinar presentation shows you how easy it is to build Series 40 web apps based on templates in Nokia Web Tools 2.0. Tapan Acharya, lead evangelist and consultant with Nokia in Bangalore, describes templates including Multi-view, RSS Feed, Accordion, Carousel, and Tab Control. He presents sample apps and shows you how to use existing templates to localise your apps for languages you choose to support. The knowledge from this webinar will help you to select templates effectively and thus develop Series 40 web apps quickly.
Find me if you can – smart fuzzing and discovery! shreeraj shahowaspindia
This document discusses smart fuzzing and discovery techniques for assessing applications. It begins with an introduction of the speaker and his background in security research. It then covers challenges with traditional fuzzing approaches not working well on modern web 2.0 applications. The document discusses discovery techniques like crawling Ajax sites and enumerating hidden entry points. It also covers different attack vectors and payloads to use like XML, JSON, and different web protocols. The challenges of blind SQL injection and behavioral assessment with artificial intelligence are also mentioned.
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Brian Huff
Using integration options both existing and soon-to-be-released, this talk covers multiple integration options between WebCenter Sites and WebCenter Content (Site Studio)
1. The Java project developed a sales and distribution management system for an enterprise, migrating from a legacy Cobol/CORBA/DB2 system to a new Java/J2EE/Oracle architecture.
2. A quick ship shipment and tracking system for the shipping industry was developed using GWT, Spring, a custom ORM, Oracle RAC, and JBoss with integrated mapping, reporting and tracking features.
3. Both projects improved processes, centralized data access, and increased efficiency through redesigned architectures and user-friendly interfaces.
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3SAP Portal
The document discusses best practices for upgrading a portal to SAP NetWeaver 7.3. It provides an overview of the upgrade process, including preparing the project, upgrading standard and custom portal components, and migrating portal content. Key steps involve using upgrade tools to upgrade the Java application server and portal add-ons, addressing potential issues for custom-developed applications, and transforming portal content and applications to the new WAR file format.
Compliance and Governance Through Complex Entitlement ManagementNoam Bunder
DataScan implemented AquaLogic Enterprise Security (ALES) to manage entitlements and comply with financial regulations. ALES allows DataScan to define security policies centrally and enforce them across applications without modifying code. This improves agility to respond to changing requirements and increases efficiency by removing security logic from applications. DataScan worked with BEA Professional Services on an SOA-based implementation using Java. Ongoing best practices include training IT administrators, integrating prototypes, and focusing on standards-based compliance.
Similar to Layer 7: Securing Web 2.0 - What You Need to Know (20)
Extend your legacy SOA/ESB infrastructure to Mobile & IoT
This webinar recording provides a use-case driven discussion around appropriate use of existing middleware infrastructure as well as its shortcomings. It dives deep into how APIs can not only complement an ESB or SOA infrastructure but also fill existing gaps.
Watch this webinar recording to learn about:
- Strengths and weaknesses of your existing ESB/SOA infrastructure
- Architecture strategy: extend and add value to legacy middleware with APIs
- Integration / API use cases in Retail, Manufacturing and Telecom
- The API360 approach to digital strategy
The document discusses a presentation about mastering digital channels through APIs. It begins with an agenda that covers the digital world of CMOs/CDOs, companies that are doing it well using APIs, what to do next, and Q&A. It then provides details on the evolution of the digital world from the first generation web to today's SMAC stack challenges. It also discusses how Amazon has mastered digital channels through vision, focus on data and APIs, agility, and persistence in broadening their offerings.
Examining today's biggest API breaches to mitigate API security vulnerabilities
Data breaches have become the top news story. And APIs are quickly becoming the hacker's new favorite attack vector. They offer a direct path to critical information and business services that can be easily stolen or disrupted. And your private APIs can be exploited just as easily as a public API. So what measures can you take to strengthen your security position?
This webinar explores recent API data breaches, the top API security vulnerabilities that are most impactful to today's enterprise and the protective measures that need to be taken to mitigate API and business exposure.
You Will Learn
-Recent breaches in the news involving APIs
-Top attacks that compromise your business
-Mitigating steps to protect your business from attacks and unauthorized access
-API Management solutions that both enable and protect your business
Learn about API Security at http://www.ca.com/api
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
At some point, we all need to design and implement APIs for the Web. What makes Web APIs different than typical component APIs? How can you leverage the power of the Internet when creating your Web API? What characteristics to many "great" Web APIs share? Is there a consistent process you can use to make sure you design a Web API that best fits your needs both now and in the future?
In this session Mike Amundsen describes a clear methodology for designing Web APIs (based on the book "RESTful Web APIs" by Richardson and Amundsen) that allows you to map key aspects of your business into a usable, scalable, and flexible interface that will reach your goals while creating a compelling API for both server and client developers. Whether you are looking to implement a private, partner, or public API, these principles will help you focus on the right metrics and design goals to create a successful API.
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
The document discusses scale-free networks and their application to APIs and the API economy. It notes that while many networks follow a power law distribution, centralized hubs create vulnerabilities. It suggests that API providers adopt a node-based model rather than a centralized hub model to avoid these vulnerabilities and empower users. Both providers and consumers are advised to explore node-based and client-based aggregator models.
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
APIs are everywhere: powering mobile apps, enabling cloud computing, connecting people through social networks and helping to create the Internet of Things. Organizations of every kind are evaluating how they can leverage APIs and replicate the success of companies like Amazon, Google and Salesforce.
Join this webinar to learn about the #API360 model for enterprise API success. This model covers the full spectrum of considerations for companies looking to succeed with APIs for the long haul. You will also hear more about the upcoming #API360 Summit that will take place in Dallas on February 26.
You Will Learn
• How leading Web companies have used APIs to boost revenues and market share
• How to create an enterprise API strategy that will yield real business results
• How to institutionalize best practices that will allow your APIs to evolve and grow
This document discusses opportunities for companies to monetize their application programming interfaces (APIs) and data. It outlines how exposing data through APIs can extend a company's brand and reach while also generating revenue. The document recommends practices for unlocking the value of enterprise data, such as by creating targeted products and services. It also provides tips on best practices for monetizing data APIs, including modeling revenue and simplifying API discovery for developers.
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
The Information Age, 100 years on
The rise of the computer and the digital revolution is responsible for an explosion of devices, data, and connectedness. These are all enabling what is called the dawning of the Information Age. And software designers, developers, and architects all share an important responsibility for shaping and guiding the world’s progress through this axial age into the future.
However, more than 100 years ago, the work of organizing the world’s information into a single all-encompassing taxonomy had already begun. Partially influenced by the positivist doctrine of Auguste Comte, leading thinkers of the early 20th century such as the librarian Paul Otlet in Belgium, museum curator Patrick Geddes in Scotland, and educator Melvil Dewey in the US were each working to design universal classification systems that would encompass and coordinate the explosion of information appearing in libraries, museums, newspapers, magazines, and eventually even radio, movies, and television.
What did we learn in the last century? What have we forgotten? How does their work affect our current trajectory in transforming the work of software and systems design and development? What can we take from Dewey, Otlet, and Geddes with us in to the next 100 years of the Information Age.
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
Identity on the Internet is changing. Social networking has kicked off a massive change in how we integrate identity across applications. This is much more than a simple redesign of security tokens and protocols; instead it is a radical redistribution of power and control over entitlements, shifting it away from the centralized control of a cabal of directory engineers and out to the users themselves.
There are compelling reasons for this shift: it enables scaling of identity administration, and it promotes rapid and agile integration of applications. These are goals shared by the enterprise, but this change has significant implications on infrastructure, people and process. Join us to learn how you can bring modern identity management into the enterprise.
Moving beyond conventional single sign-on to seamless cross-device access with APIs
People are carrying more devices every day – with the average being 2.9 per person. Meanwhile, multitasking has gone into overdrive, as users quickly move from laptop to phone to tablet, expecting a seamless experience when accessing their favorite apps. And this expectation is not just limited to leisure and personal use – it extends to business applications.
Security has broken this seamless workflow and inhibited the mobile “stickiness” businesses are striving to achieve. This webinar with Scott Morrison and Leif Bildoy of CA Technologies will demonstrate how the right combination of identity functionality and secure APIs can help your organization to overcome these challenges and enable the multi-device universe.
You Will Learn
• What challenges must be overcome when supporting multiple mobile app types
• How SSO is evolving past mobile app access to device access
• Why the right implementation of identity and APIs will create consumer stickiness
• How the Internet of Things (IoT) is creating new business opportunities
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
This document discusses how financial institutions can use APIs to improve the customer experience, drive innovation, and generate new revenue opportunities. It provides examples of how APIs have helped organizations like a utility company improve payment processing, a retail bank ensure system availability for trading, and a healthcare provider enhance field work efficiency. The document advocates that API management platforms can help organizations securely expose APIs, accelerate app development, integrate systems, and monitor API usage to support monetization strategies. Overall, the document argues that APIs allow financial firms to enhance customer loyalty, expand into new business areas, and maintain operational resilience in the digital economy.
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
Today’s enterprise mobility solutions emphasize heavy-handed IT governance of devices and applications that impose a burden on developers and/or users. However, managing data and applications using high performance mobile-optimized infrastructure can enable secure, scalable apps while minimizing the effort required by developers and allowing them to focus on their strengths. Come learn how to facilitate the best of both worlds – multi-layer mobile security using modern standards and a fantastic user experience.
This document discusses 5 steps for achieving end-to-end security for consumer mobile apps. It outlines identifying the risk level of apps, understanding where mobile device management and mobile application management fit, securing APIs, implementing secure app development practices, and using authentication, authorization, and access control to balance security and user experience. The document is presented by CA Technologies and promotes their mobile security products and solutions.
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
The document discusses best practices for securing APIs and identifies three key areas: parameterization, identity, and cryptography. It notes that APIs have a larger attack surface than traditional web apps due to more direct parameterization. It recommends rigorous input and output validation, schema validation, and constraining HTTP methods and URIs. For identity, it advises using real security tokens like OAuth instead of API keys alone. It also stresses the importance of proper cryptography, like using SSL everywhere and following best practices for key management and PKI. The overall message is that APIs require different security practices than traditional web apps.
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
The Internet of Things (IoT) promises to improve our productivity and day-to-day lives by connecting a vast range of devices – from cell phones, to cars, to domestic appliances and even to drones. APIs represent the key technology that will make it possible to integrate and leverage information from all these “things”.
There are obvious security and privacy concerns associated with using APIs to expose data and functionality from one device to many others. So, how can we make sure hackers cannot exploit the unprecedented connectivity created by IoT? This webinar will explore key IoT use cases and explain how to address the API security requirements for these use cases.
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
The VIP networking lunch will feature a presentation by Keith Junius, Solution Architect, from Veda on ‘Implementing an API Management Platform’. Attendees will hear about how Veda has modernized their B2B API platform by deploying SOA Gateways. Join Layer 7 at this lunch to learn about:
• Design considerations for API management platforms
• Technical and business challenges faced across the whole system lifecycle
• The soft skills required to achieve a successful outcome
• Lessons learned during and after the project
• Benefits realized by the new platform
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
Today, tech-savvy consumers are always connected, using their mobile devices to compare prices, read user-generated reviews and pay for products - and many leading e-tailers already connect their customers to this information. The any time, any place connectivity enabled by mobile devices empowers all retailers to offer the kinds of enhanced shopping experiences modern consumers are becoming accustomed to.
To truly satisfy the needs of these well-informed, mobile consumers, retail organizations will need ways to create unified shopping experiences across all channels – from brick-and-mortar stores to the Web to mobile. Increasingly, offering a compelling mobile experience will become the cornerstone upon which these omni-channel shopping experiences are built.
In this webinar, you will learn how APIs can:
• Help deliver a consistent retail experience across multiple channels
• Connect retailers with social data
• Extend legacy systems to mobile apps
• Enable organizations to make real-time use of contextual data and buying patterns
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/how-axelera-ai-uses-digital-compute-in-memory-to-deliver-fast-and-energy-efficient-computer-vision-a-presentation-from-axelera-ai/
Bram Verhoef, Head of Machine Learning at Axelera AI, presents the “How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-efficient Computer Vision” tutorial at the May 2024 Embedded Vision Summit.
As artificial intelligence inference transitions from cloud environments to edge locations, computer vision applications achieve heightened responsiveness, reliability and privacy. This migration, however, introduces the challenge of operating within the stringent confines of resource constraints typical at the edge, including small form factors, low energy budgets and diminished memory and computational capacities. Axelera AI addresses these challenges through an innovative approach of performing digital computations within memory itself. This technique facilitates the realization of high-performance, energy-efficient and cost-effective computer vision capabilities at the thin and thick edge, extending the frontier of what is achievable with current technologies.
In this presentation, Verhoef unveils his company’s pioneering chip technology and demonstrates its capacity to deliver exceptional frames-per-second performance across a range of standard computer vision networks typical of applications in security, surveillance and the industrial sector. This shows that advanced computer vision can be accessible and efficient, even at the very edge of our technological ecosystem.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Layer 7: Securing Web 2.0 - What You Need to Know
1. Securing Web 2.0
What You Need to Know
K. Scott Morrison
VP Engineering and Chief Architect
January 2007
2. Bio – K. Scott Morrison
VP Engineering & Chief Architect at Layer 7 Technologies
• http://www.layer7tech.com
• Layer 7 is based in Vancouver BC, Canada
Co-author of Sams’ Java Web Services Unleashed and Wrox’s
Professional JMS
• Over 50 other publications in academic journals and trade magazines
Co-Editor WS-I Basic Security Profile
Co-Author WS-Federation
Frequent speaker on Web services, XML, mobile/wireless
computing systems, distributed systems architecture, and Java
design issues
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 2
3. Agenda
Web 2.0
AJAX
What’s new about this?
The collision between AJAX & SOA
What are the new threat vectors
Mitigation strategies
Infrastructure solutions
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 3
4. Web 2.0
Web 2.0 isn’t a technology
It’s actually an approach to building for the Web
Web 2.0 is:
MySpace
Aggregation of content Flickr
Collaboration Google Maps
Google Gmail
Synergizing the efforts of individuals Google Suggest
del.icio.us
Rich interaction models …etc
Remember: “You” is not a technology
Graphic source: http://www.time.com/time/covers/0,16641,20061225,00.html
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 4
5. AJAX
AJAX is an approach underpinning Web 2.0
Provides rich browser interaction models
This contributes to goal of fostering individual contributions
Can also be used to aggregate content
AJAX is really a slick new name for existing technology:
1. (X)HTML and CSS for presentation markup
2. DOM and JavaScript for dynamic content
3. XMLHttpRequest (XHR), IFrame, dynamic <SCRIPT> hack
for asynchronous content retrieval
4. XML, JSON, JavaScript Objects, or just text for data
communication
So what is different here?
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 5
6. Web 1.0
Firewall
Web
Application
Server Network
Directory
Server
User clicks link,
User clicks link,
presses button,
presses button,
is referred, etc
is referred, etc
Corporate
Network
Internet
Web
Browser
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 6
7. Web 1.0 (cont.)
Firewall
Web
Application
Server Network
Directory
Server
AuthN,
AuthN,
AuthR
AuthR
HTTP headers+
Query params or
POST contents
HTTP GET or
HTTP GET or Corporate
POST
POST Network
Internet
HTTP
Request
Web
Browser
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 7
8. Web 1.0 (cont.)
Firewall
Web
Application
Server Network
Directory
Server
New page
New page
rendered
rendered
Corporate
Network
HTTP Internet
Response
HTML, images,
JavaScript, etc
User experiences long
Web
Browser latency delays that affects
usability
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 8
9. Web 2.0 – AJAX Paradigm
Firewall
Web
Application
Server Network
Directory
Server
… Request as before
… Request as before
Page load HTML
Page load HTML
with embedded
with embedded
JavaScript Engine Corporate
JavaScript Engine
Separation between Network
presentation and
HTTP
content retrieval
Response
Internet
HTML, images,
JavaScript
engine, etc
Web
Browser
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 9
10. Web 2.0 – AJAX Paradigm (cont.)
Firewall
Web
Application
Server Network
Directory
Server
Service
HTTP GET,
HTTP GET,
POST, PUT,
POST, PUT,
DELETE, HEAD,
DELETE, HEAD,
etc
User interacts etc Corporate
User interacts Network
with AJAX HTTP
with AJAX
engine Request
engine
Internet
HTTP
XML, JSON,
Response
JavaScript
Objects, text, etc
Web
Browser
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 10
11. Web 2.0 – Server Side Aggregations
Look familiar? It’s data
integration all over again… Firewall
New data, new transport, Web
same old problems Application
Server pulls Server Network
Server pulls Directory
external
RSS, ATOM, external Server
XML, etc information
information
External
Feeds and
Services
User interacts Corporate
User interacts Network
with web app
with web app
server
server
Internet
Aggregate
content page
This, of course could There are also models for
Web also be an AJAX-based
Browser application
client-side (browser)
aggregation
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 11
12. What are the Threats?
Threats Against The Client
New Attack
New Attack
Surface: the
Surface: the
AJAX engine
AJAX engine
itself
itself
AJAX
Engine Loads of potential parameter &
injection attacks. Attempts to
hijack session tokens, cookies, etc.
Cross Site Scripting (XSS), Cross
Site Reference Forgery (XSRF)
Lots of potentially dangerous
Lots of potentially dangerous
things to query or even set.
things to query or even set.
Consider DOM:
Consider DOM:
document.URL
document.URL
document.cookie
document.cookie
Web document.domain
document.domain
Browser document.referrer
document.referrer
etc…
etc…
Turn off JavaScript??? No.
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 12
13. What are the Threats (cont.)?
Firewall
Threats Against The Server Web
Application
Server
Classic Attack
Classic Attack
Surface, but
Surface, but
with new
with new
challenges
challenges
80, 443
In: Richer parameter
attacks, XML-based DOS Corporate
attacks, etc Network
Out: Information leaking,
integrity compromise,
injection, etc
Big problem: XML parsers
are just too helpful and
naive
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 13
14. What are the Threats (cont.)?
Threats Against Content
External
Feeds and
Services
In: Session hijacking,
unauthorized access, etc
Out: Integrity compromise,
injection of poison content Corporate
like scripts into XML, etc Network
Another classic attack
Another classic attack
surface, but with still
surface, but with still
more new challenges
more new challenges
Note that the aggregator is
just another web client. It’s
not a browser, but many
similar attack still apply
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 14
15. Why Should You Care?
Big questions around corporate responsibility
Regulatory issues around privacy (HIPAA, PIPEDA, etc)
Regulatory issues around accountability (Sarbox, etc)
Liability for forged transaction
Liability for damage from compromised servers
Not to mention huge issues around
brand and reputation damage accrued
from a significant security event
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 15
16. Tactical Security Measures
Clients (browsers)
Tough area to secure
Must ensure you are serving solid code
Rigorous code review
AJAX has submarine complexity
Ensure that data streams you serve are validated
Redaction, strict validation to tightened schemas
Servers offer
Servers offer
clean and secure
clean and secure
code
code
Servers offer
Servers offer
validated and
validated and
cleansed data
cleansed data
The problem with JavaScript
is that it makes it easy to
Web write code, but hard to
Browser write secure code
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 16
17. Tactical Security Measures (cont.)
Core Servers (Web application servers)
More control, and more mature best practices
Add rigorous AuthN, AuthR, Audit
Look at cryptographic model
Inward: DOS protect
Threat protect
Parameter validate
Outward: Schema validation and redaction
Validate
Validate
params
params
Validate and
Validate and
cleanse data
cleanse data
What makes this difficult is the
Secure channel added complexity of XML data
Secure channel
structures, and the richer attack
surface of service-based APIs
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 17
18. Tactical Security Measures (cont.)
Aggregation Servers (Application servers)
Emerging area, with few best practices
Encourage authenticated access model
You may be forced into this anyway…
Look at cryptographic model
Incoming data: Validate feed content
Strip potential exploits like embedded
<SCRIPT> tags
Authenticate
Authenticate
access
access The big problem here is you may not
have control of the source of the data. A
large number of sites are cracking down
Validate and
on “unauthorized” use in mashups.
Validate and
threat protect
threat protect
data feed
Furthermore, APIs may change
data feed
radically, making it critical to validate
the incoming feed against a schema to
Secure channel
Secure channel catch API updates
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 18
19. Thanks For Nothing Scott: “So How Do I Really Do This?”
You could just build it into your systems…
But that is brittle and error-prone
What you really need is specialized infrastructure built for this
purpose
Needs to be:
High performance
Scalable
Simple to configure
And most important: offer tunable security policy
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 19
20. Why Tunable Policy?
Not all services are equal:
Not all services are equal:
getStockQuote():
anonymous access,
unsecure channel
buyStock():
authenticated and
authorized access, secured
(integrity and privacy)
channel or message
Policy (the security
Policy (the security
processing model) must
processing model) must
be customized to the
be customized to the
business requirements
business requirements
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 20
21. Securing Web 2.0: SecureSpan Data Screen™
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 21
22. Securing Web 2.0: SecureSpan Data Screen™
Hardware appliance for Web, REST, & AJAX security
processing.
ASICs for XML schema validation, XPath, XSLT, cryptographic
operations
Fully clustered
Policy-based processing model
Browser-based management and operations console
Integration with all major directory, IAM, access control
servers
Integration with Symantec antivirus scan engine
Web Browser-based SecureSpan Data Screen™
management and cluster
operations
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 22
23. Securing Web 2.0: SecureSpan Data Screen™
Wire speed schema validation of XML entering network
Wire speed schema validation of XML entering network
Rigorous HTTP parameter validation
Rigorous HTTP parameter validation
Tight control over HTTP methods (GET, POST, Web
Tight control over HTTP methods (GET, POST,
DELETE, PUT, etc). Control over REST. Application
DELETE, PUT, etc). Control over REST.
Server Network
Hardware transformation of XML content in and out of
Hardware transformation of XML content in and out of Directory
network
network Server
Throttle access to back end services
Throttle access to back end services
Traffic shaping across server farms
Traffic shaping across server farms
XML threat detection
XML threat detection
Endpoint for SSL and XML document security
Endpoint for SSL and XML document security
(encryption, signature & canonicalization according to W3C
(encryption, signature & canonicalization according to W3C
specs)
specs)
Controlled striping of <SCRIPT>, eval() (PHP, JS,
Controlled striping of <SCRIPT>, eval() (PHP, JS,
Python, etc), shell injection attacks, etc to combat XSS
Python, etc), shell injection attacks, etc to combat XSS
Corporate
Network
Internet
Web
Gateway Deployment
Gateway Deployment
Browser
For Incoming Calls
For Incoming Calls
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 23
24. Securing Web 2.0: SecureSpan Data Screen™
Proxy Deployment For
Proxy Deployment For
Outgoing Calls
Outgoing Calls Web
Application
Server Network
RSS, ATOM,
XML, etc
Directory
Server
External
Services
Corporate
Network
Wire speed validation of XML entering network
Wire speed validation of XML entering network
Stripping of potential harmful data in feeds
Stripping of potential harmful data in feeds
(<SCRIPT>, etc)
(<SCRIPT>, etc)
Web Management of outgoing cryptography and credentials
Management of outgoing cryptography and credentials
Browser Wire speed transformation of XML data to insulate
Wire speed transformation of XML data to insulate
internal servers from external API changes
internal servers from external API changes
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 24
25. Summary
Web 2.0 and the technologies associated with it are too good to
ignore
However, they introduce huge new security complexities
The only way to deal with these effectively is with diligence,
rigor, and specialized infrastructure to manage an evolving threat
model
Layer 7’s SecureSpan Data Screen™ provides the tools to help
secure Web 2.0, REST, AJAX, SOA, RSS and ATOM today.
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 25
26. For further information:
K. Scott Morrison
Layer 7 Technologies
1501 – 700 West Georgia St.
Vancouver, B.C. V7Y 1B6
Canada
(800) 681-9377
smorrison@layer7tech.com
http://www.layer7tech.com
January 2007