This document discusses securing EmberJS applications. It begins by introducing the author and their background working on client-side web security. It then provides an overview of the topics covered, which include cross-site request forgery (CSRF), cross-site scripting (XSS), and content security policy (CSP). It explains the architecture of single-page applications like EmberJS applications. It also illustrates common web attacks like CSRF and XSS, and describes approaches to mitigate these attacks in EmberJS applications, including the use of tokens and CSP.
AWS Cost Management Workshop at the San Francisco Loft
AWS offers a number of products that allow you to access, organize, understand, optimize, and control your AWS costs and usage. This workshop will help you get started using AWS Cost Explorer to visualize your usage patterns and identify your underlying cost drivers. From there, you can take action on your insights by learning how to set custom cost and usage budgets and receive alerts via email or Amazon SNS topic using AWS Budgets.
Amazon has proved its might in the field of offering diverse cloud services and has excelled in almost all scenarios to date. Amazon EC2 came into play in 2006 and has gained immense popularity since then. But, along with that, AWS Lambda is also a popular service that came out in 2014 and is now walking side-to-side with EC2 in terms of popularity and adaptation.
To know the major differences between AWS Lambda and CE2 please visit https://www.whizlabs.com/blog/aws-lambda-vs-ec2/
AWS Purpose-Built Database Strategy: The Right Tool for The Right JobAmazon Web Services
Learn why AWS is building a comprehensive database and analytics platform with purpose-built databases designed to solve specific customer problems.
We dive deeper into the operational database services that AWS offers, such as Amazon RDS, Amazon DynamoDB, Amazon ElastiCache, and the new Amazon Neptune graph database. Finally, through a demonstration of Amazon RDS, you get to see how easy it is to use a managed database service.
Amazon RDS allows you to launch an optimally configured, secure and highly available database with just a few clicks. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, freeing you to focus on your applications and business.
AWS Lambda 내부 동작 방식 및 활용 방법 자세히 살펴 보기 - 김일호 솔루션즈 아키텍트 매니저, AWS :: AWS Summit ...Amazon Web Services Korea
AWS Lambda 내부 동작 방식 및 활용 방법 자세히 살펴 보기
김일호 솔루션즈 아키텍트 매니저, AWS
AWS Lambda는 서버리스 아키텍처의 핵심 서비스입니다. 본 세션에서는 AWS Lambda에 내부 동작 방식을 소개하고, Lambda Layer, 맞춤형 런타임 등 신규로 소개된 기능 및 사용시 도움이 되는 성능 및 확장을 위한 다양한 팁들을 소개합니다.
Dynamic Scaling: How Apache Flink Adapts to Changing Workloads (at FlinkForwa...Till Rohrmann
Modern stream processing engines not only have to process millions of events per second at sub-second latency but also have to cope with constantly changing workloads. Due to the dynamic nature of stream applications where the number of incoming events can strongly vary with time, systems cannot reliably predetermine the amount of required resources. In order to meet guaranteed SLAs as well as utilizing system resources as efficiently as possible, frameworks like Apache Flink have to adapt their resource consumption dynamically. In this talk, we will take a look under the hood and explain how Flink scales stateful application in and out. Starting with the concept of key groups and partionable state, we will cover ways to detect bottlenecks in streaming jobs and discuss efficient strategies how to scale out operators with minimal down-time.
AWS Cost Management Workshop at the San Francisco Loft
AWS offers a number of products that allow you to access, organize, understand, optimize, and control your AWS costs and usage. This workshop will help you get started using AWS Cost Explorer to visualize your usage patterns and identify your underlying cost drivers. From there, you can take action on your insights by learning how to set custom cost and usage budgets and receive alerts via email or Amazon SNS topic using AWS Budgets.
Amazon has proved its might in the field of offering diverse cloud services and has excelled in almost all scenarios to date. Amazon EC2 came into play in 2006 and has gained immense popularity since then. But, along with that, AWS Lambda is also a popular service that came out in 2014 and is now walking side-to-side with EC2 in terms of popularity and adaptation.
To know the major differences between AWS Lambda and CE2 please visit https://www.whizlabs.com/blog/aws-lambda-vs-ec2/
AWS Purpose-Built Database Strategy: The Right Tool for The Right JobAmazon Web Services
Learn why AWS is building a comprehensive database and analytics platform with purpose-built databases designed to solve specific customer problems.
We dive deeper into the operational database services that AWS offers, such as Amazon RDS, Amazon DynamoDB, Amazon ElastiCache, and the new Amazon Neptune graph database. Finally, through a demonstration of Amazon RDS, you get to see how easy it is to use a managed database service.
Amazon RDS allows you to launch an optimally configured, secure and highly available database with just a few clicks. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, freeing you to focus on your applications and business.
AWS Lambda 내부 동작 방식 및 활용 방법 자세히 살펴 보기 - 김일호 솔루션즈 아키텍트 매니저, AWS :: AWS Summit ...Amazon Web Services Korea
AWS Lambda 내부 동작 방식 및 활용 방법 자세히 살펴 보기
김일호 솔루션즈 아키텍트 매니저, AWS
AWS Lambda는 서버리스 아키텍처의 핵심 서비스입니다. 본 세션에서는 AWS Lambda에 내부 동작 방식을 소개하고, Lambda Layer, 맞춤형 런타임 등 신규로 소개된 기능 및 사용시 도움이 되는 성능 및 확장을 위한 다양한 팁들을 소개합니다.
Dynamic Scaling: How Apache Flink Adapts to Changing Workloads (at FlinkForwa...Till Rohrmann
Modern stream processing engines not only have to process millions of events per second at sub-second latency but also have to cope with constantly changing workloads. Due to the dynamic nature of stream applications where the number of incoming events can strongly vary with time, systems cannot reliably predetermine the amount of required resources. In order to meet guaranteed SLAs as well as utilizing system resources as efficiently as possible, frameworks like Apache Flink have to adapt their resource consumption dynamically. In this talk, we will take a look under the hood and explain how Flink scales stateful application in and out. Starting with the concept of key groups and partionable state, we will cover ways to detect bottlenecks in streaming jobs and discuss efficient strategies how to scale out operators with minimal down-time.
In this session we will explore the world’s first cloud-scale file system and its targeted use cases. Session attendees will learn about EFS’s benefits, how to identify applications that are appropriate for use with EFS, and details about its performance and security models. The target audience is file system administrators, application developers, and application owners that operate or build file-based applications.
How do you grapple with a legacy portfolio? What strategies do you employ to get an application to cloud native?
How do you grapple with a legacy portfolio? What strategies do you employ to get an application to cloud native?
This talk will cover tools, process and techniques for decomposing monolithic applications to Cloud Native applications running on Pivotal Cloud Foundry (PCF). The webinar will build on ideas from seminal works in this area: Working Effectively With Legacy Code and The Mikado Method. We will begin with an overview of the technology constraints of porting existing applications to the cloud, sharing approaches to migrate applications to PCF. Architects & Developers will come away from this webinar with prescriptive replatforming and decomposition techniques. These techniques offer a scientific approach for an application migration funnel and how to implement patterns like Anti-Corruption Layer, Strangler, Backends For Frontend, Seams etc., plus recipes and tools to refactor and replatform enterprise apps to the cloud. Go beyond the 12 factors and see WHY Cloud Foundry is the best place to run any app - cloud native or non-cloud native.
Speakers: Pieter Humphrey, Principal Product Manager; Pivotal
Rohit Kelapure, PCF Advisory Solutions Architect; Pivotal
Hungry for more? Check out this blog from Kenny Bastani:
http://www.kennybastani.com/2016/08/strangling-legacy-microservices-spring-cloud.html
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018Amazon Web Services
Learn best practices for Amazon S3 performance optimization, security, data protection, storage management, and much more. In this session, we look at common Amazon S3 use cases and ways to manage large volumes of data within Amazon S3. We discuss the latest performance improvements and how they impact previous guidance. We also talk about the Amazon S3 data resilience model and how architecture for the AWS Regions and Availability Zones impact architecture for fault tolerance.
BRIEF HISTORY OF DATA PROCESSING
RELATIONAL (SQL) VS. NONRELATIONAL (NOSQL)
Why noSQL?
ACID VS CAP
DynamoDB- what is it?
DynamoDB ARCHITECTURE
Conditional Writes
Provisioned throughput
QUERY VS SCAN
Operations
Benefits
Limitations
DEMO
Amazon Web Services provides multiple messaging options that you can use to create scalable, distributed systems, implement event sourcing to unlock hidden context and utilise CQRS for efficient data access. In this session we will look at various messaging patterns and discuss techniques and use cases for Amazon SQS, Amazon SNS, Amazon Kinesis, Amazon DynamoDB and Amazon Web Services IoT in your application.
Speaker: Stephen Liedig, Solutions Architect, Amazon Web Services
In this session customers will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers. We will also show you how to scan container images for vulnerabilities as part of your CI/CD pipeline.
Speaker: Marcus Santos, Solutions Architect, AWS
Creating Connector to Bridge the Worlds of Kafka and gRPC at Wework (Anoop Di...confluent
What do you do when you've two different technologies on the upstream and the downstream that are both rapidly being adopted industrywide? How do you bridge them scalably and robustly? At Wework, the upstream data was being brokered by Kafka and the downstream consumers were highly scalable gRPC services. While Kafka was capable of efficiently channeling incoming events in near real-time from a variety of sensors that were used in select Wework spaces, the downstream gRPC services that were user-facing were exceptionally good at serving requests in a concurrent and robust manner. This was a formidable combination, if only there was a way to effectively bridge these two in an optimized way. Luckily, sink Connectors came to the rescue. However, there weren't any for gRPC sinks! So we wrote one.
In this talk, we will briefly focus on the advantages of using Connectors, creating new Connectors, and specifically spend time on gRPC sink Connector and its impact on Wework's data pipeline.
Kubernetes offers a powerful abstraction layer for managing containerized infrastructure. Amazon Elastic Container Service for Kubernetes (Amazon EKS) makes it easy to run Kubernetes on AWS without having to manage master nodes or the etcd operator. In this session, we show how Amazon EKS makes deploying Kubernetes on AWS simple and scalable, including networking, security, monitoring, and logging.
Local Testing and Deployment Best Practices for Serverless Applications - AWS...Amazon Web Services
-Learn best practices for testing, debugging, and deploying serverless applications
-Understand how to use the AWS Serverless Application Model (AWS SAM) to model and deploy serverless applications
-Learn to use the AWS SAM Local CLI tool to locally test Lambda functions
With cloud, you have the flexibility to acquire and use IT resources and services on-demand, which represents a major shift from traditional approaches managing cost. A key first step on your organization’s cloud journey is to establish best practices for cost management in the cloud. AWS' cost optimization techniques help our customers understand cost drivers and effectively manage the cost of running existing application workloads or new ones in the cloud.
In this interactive session we'll demonstrate how to install and configure the AWS Amplify CLI, create a new project and explore the resources created by the CLI. Expect to follow along setting up your own environment for PC or Mac.
Level: Beginner
Speaker: Nader Dabit - Developer Advocate, AWS Mobile Applications
Training for AWS Solutions Architect at http://zekelabs.com/courses/amazon-web-services-training-bangalore/.Training for AWS Solutions Architect at http://zekelabs.com/courses/amazon-web-services-training-bangalore/. This slide describes about features of simple storage service, s3 buckets, s3-static web hosting, cross region replication, storage classes and comparison, glacier, transfer acceleration, life cycle management, security and encryption
___________________________________________________
zekeLabs is a Technology training platform. We provide instructor led corporate training and classroom training on Industry relevant Cutting Edge Technologies like Big Data, Machine Learning, Natural Language Processing, Artificial Intelligence, Data Science, Amazon Web Services, DevOps, Cloud Computing and Frameworks like Django,Spring, Ruby on Rails, Angular 2 and many more to Professionals.
Reach out to us at www.zekelabs.com or call us at +91 8095465880 or drop a mail at info@zekelabs.com
In this session we will explore the world’s first cloud-scale file system and its targeted use cases. Session attendees will learn about EFS’s benefits, how to identify applications that are appropriate for use with EFS, and details about its performance and security models. The target audience is file system administrators, application developers, and application owners that operate or build file-based applications.
How do you grapple with a legacy portfolio? What strategies do you employ to get an application to cloud native?
How do you grapple with a legacy portfolio? What strategies do you employ to get an application to cloud native?
This talk will cover tools, process and techniques for decomposing monolithic applications to Cloud Native applications running on Pivotal Cloud Foundry (PCF). The webinar will build on ideas from seminal works in this area: Working Effectively With Legacy Code and The Mikado Method. We will begin with an overview of the technology constraints of porting existing applications to the cloud, sharing approaches to migrate applications to PCF. Architects & Developers will come away from this webinar with prescriptive replatforming and decomposition techniques. These techniques offer a scientific approach for an application migration funnel and how to implement patterns like Anti-Corruption Layer, Strangler, Backends For Frontend, Seams etc., plus recipes and tools to refactor and replatform enterprise apps to the cloud. Go beyond the 12 factors and see WHY Cloud Foundry is the best place to run any app - cloud native or non-cloud native.
Speakers: Pieter Humphrey, Principal Product Manager; Pivotal
Rohit Kelapure, PCF Advisory Solutions Architect; Pivotal
Hungry for more? Check out this blog from Kenny Bastani:
http://www.kennybastani.com/2016/08/strangling-legacy-microservices-spring-cloud.html
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018Amazon Web Services
Learn best practices for Amazon S3 performance optimization, security, data protection, storage management, and much more. In this session, we look at common Amazon S3 use cases and ways to manage large volumes of data within Amazon S3. We discuss the latest performance improvements and how they impact previous guidance. We also talk about the Amazon S3 data resilience model and how architecture for the AWS Regions and Availability Zones impact architecture for fault tolerance.
BRIEF HISTORY OF DATA PROCESSING
RELATIONAL (SQL) VS. NONRELATIONAL (NOSQL)
Why noSQL?
ACID VS CAP
DynamoDB- what is it?
DynamoDB ARCHITECTURE
Conditional Writes
Provisioned throughput
QUERY VS SCAN
Operations
Benefits
Limitations
DEMO
Amazon Web Services provides multiple messaging options that you can use to create scalable, distributed systems, implement event sourcing to unlock hidden context and utilise CQRS for efficient data access. In this session we will look at various messaging patterns and discuss techniques and use cases for Amazon SQS, Amazon SNS, Amazon Kinesis, Amazon DynamoDB and Amazon Web Services IoT in your application.
Speaker: Stephen Liedig, Solutions Architect, Amazon Web Services
In this session customers will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers. We will also show you how to scan container images for vulnerabilities as part of your CI/CD pipeline.
Speaker: Marcus Santos, Solutions Architect, AWS
Creating Connector to Bridge the Worlds of Kafka and gRPC at Wework (Anoop Di...confluent
What do you do when you've two different technologies on the upstream and the downstream that are both rapidly being adopted industrywide? How do you bridge them scalably and robustly? At Wework, the upstream data was being brokered by Kafka and the downstream consumers were highly scalable gRPC services. While Kafka was capable of efficiently channeling incoming events in near real-time from a variety of sensors that were used in select Wework spaces, the downstream gRPC services that were user-facing were exceptionally good at serving requests in a concurrent and robust manner. This was a formidable combination, if only there was a way to effectively bridge these two in an optimized way. Luckily, sink Connectors came to the rescue. However, there weren't any for gRPC sinks! So we wrote one.
In this talk, we will briefly focus on the advantages of using Connectors, creating new Connectors, and specifically spend time on gRPC sink Connector and its impact on Wework's data pipeline.
Kubernetes offers a powerful abstraction layer for managing containerized infrastructure. Amazon Elastic Container Service for Kubernetes (Amazon EKS) makes it easy to run Kubernetes on AWS without having to manage master nodes or the etcd operator. In this session, we show how Amazon EKS makes deploying Kubernetes on AWS simple and scalable, including networking, security, monitoring, and logging.
Local Testing and Deployment Best Practices for Serverless Applications - AWS...Amazon Web Services
-Learn best practices for testing, debugging, and deploying serverless applications
-Understand how to use the AWS Serverless Application Model (AWS SAM) to model and deploy serverless applications
-Learn to use the AWS SAM Local CLI tool to locally test Lambda functions
With cloud, you have the flexibility to acquire and use IT resources and services on-demand, which represents a major shift from traditional approaches managing cost. A key first step on your organization’s cloud journey is to establish best practices for cost management in the cloud. AWS' cost optimization techniques help our customers understand cost drivers and effectively manage the cost of running existing application workloads or new ones in the cloud.
In this interactive session we'll demonstrate how to install and configure the AWS Amplify CLI, create a new project and explore the resources created by the CLI. Expect to follow along setting up your own environment for PC or Mac.
Level: Beginner
Speaker: Nader Dabit - Developer Advocate, AWS Mobile Applications
Training for AWS Solutions Architect at http://zekelabs.com/courses/amazon-web-services-training-bangalore/.Training for AWS Solutions Architect at http://zekelabs.com/courses/amazon-web-services-training-bangalore/. This slide describes about features of simple storage service, s3 buckets, s3-static web hosting, cross region replication, storage classes and comparison, glacier, transfer acceleration, life cycle management, security and encryption
___________________________________________________
zekeLabs is a Technology training platform. We provide instructor led corporate training and classroom training on Industry relevant Cutting Edge Technologies like Big Data, Machine Learning, Natural Language Processing, Artificial Intelligence, Data Science, Amazon Web Services, DevOps, Cloud Computing and Frameworks like Django,Spring, Ruby on Rails, Angular 2 and many more to Professionals.
Reach out to us at www.zekelabs.com or call us at +91 8095465880 or drop a mail at info@zekelabs.com
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
The slides from an overview presentation of how the Web, and Web security, have changed in the last few years. This talk has been given at various public and private venues. Get in touch if you want to invite me to your company or tech group!
Modern Web Security, Lazy but Mindful Like a FoxC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2hYU0cd.
Albert Yu presents a few viable, usable and effective defensive techniques that developers have often overlooked. Filmed at qconsf.com.
Albert Yu is currently working as a principal engineer for the Trust Engineering team in Atlassian. He has spent 15 years exposing himself to many different aspects of a security program, including security engineering, R&D, product reviews, code review, penetration test, governance and compliance, risk management, incident response, in large scale environment.
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
Got Invited for conducting the workshop on ‘Cyber Security’ at top notch engineering college.
Sardar Patel Institute of Technology, Andheri on 3rd October, 2015.
Student feedback:-
https://drive.google.com/file/d/0B_uWWP1uW7TFWVdTanJFdTlqNkE/view?usp=sharing
Appreciation letter:-
https://drive.google.com/file/d/0B_uWWP1uW7TFMkVVUTR4V1JTN2c/view?usp=sharing
This presentation by Mike Shame of Qualys the basics of Web Application Security and how to safeguard your web infrastructure against the most prevalent online threats and security risks, such as: cross-site scripting (XSS) attacks, SQL injection, directory traversals, and other web vulnerabilities. Learn how to proactively identify critical web application vulnerabilities and take corrective actions to minimize risks.
Browser Security – Issues and Best Practices1OutliVannaSchrader3
Browser Security – Issues and Best Practices
1
Outline
Intro to Browser Security
Need for Browser Security
Browser Security Fundamentals
Browser Security Issues
OWASP Top 10 – A7:2017– Cross-Site Scripting XSS
OWASP Top 10 – A3:2017– Sensitive Data Exposure
Attacks against Browser Security Mechanisms
Browser Security Best Practices
2
Intro to Browser Security
3
Intro to Browser Security
How does a web application work?
4
Client
Server
Involves browsers
Intro to Browser Security (contd.)
Browser
A browser is “an application that finds and displays web pages”.
It coordinates communication between your computer and the web server where a particular website “lives” by:
Accepting a website address as a URL
Submitting a request to the server to retrieve the content for the page
Processing the code (HTML, CSS, JavaScript, etc.) from the server
Loading active content (Flash, ActiveX, etc.) needed by the page
Displaying the complete, formatted web page
Repeating the process for every single user interaction with the page
5
Source: Understanding Your Computer: Web Browsers – U.S. CERT –
https://www.cisa.gov/uscert/ncas/tips/st04-022
Intro to Browser Security (contd.)
Examples:
Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, Opera, etc.
Browser Market Share as of February 2022:
6
Source: Global Web Stats – W3Counter–
https://www.w3counter.com/globalstats.php
Intro to Browser Security (contd.)
Browser security refers to “how differences in design and implementation of various security technologies in modern web browsers might affect their security” (X41 Browser Security White Paper, 2017, pg. 8)
Browser security involves the following:
Protection against common client-side attacks
Protection against phishing
Management of browser extensions
Use of adequate cryptography protocols
7
Source: X41 Browser Security White Paper –
https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf
Intro to Browser Security (contd.)
Browser security also involves the following:
Protection against active content
Active content refers to scripts that execute programs within the browser
e.g.: scripts used to create splash pages or options like drop-down menus
JavaScript is widely used to create active content
ActiveX controls reside on your computer and can be used as spyware
Protecting cookies
Cookies store information such as IP address, domain names, browser info, browsing habits, etc.
Both session cookies and persistent cookies must be protected from security attacks by adjusting the browser’s security settings to block or limit access to cookie information
8
Source: U.S. CERT – Browsing Safely: Understanding Active Content and Cookies –
https://www.cisa.gov/uscert/ncas/tips/ST04-012
Intro to Browser Security (contd.)
Browser-specific security features:
Google Chrome security features
Apple Safari security features
Internet Explorer security features
Microsoft Edge security features
Mozilla Firefox security fea ...
Widespread security flaws in web application development 2015mahchiev
Widespread security flaws in web application development
*SQL Injection - Hands-On Example
*Cross - Site Scripting (XSS)
*Cross Site Request Forgery
*HTTP Strict Transport Security
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
OWASP Top 10 Proactive Controls 2016
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
2. About Me – Philippe De Ryck
2
§ Postdoctoral Researcher @ DistriNet (KU Leuven)
§ Focus on (client-side) Web security
§ Responsible for the Web Security training program
§ Dissemination of knowledge and research results
§ Target audiences include industry and researchers
§ Main author of the Primer on Client-Side Web Security
§ 7 attacker models, broken down in 10 capabilities
§ 13 attacks and their countermeasures
§ Overview of security best practices
3. iMinds-DistriNet, KU Leuven
3
§ Headcount:
§ 10 professors
§ 65 researchers
§ Research Domains
§ Secure Software
§ Distributed Software
§ Part of the iMinds Security Department
§ Together with COSIC and ICRI
§ Academic and industrial collaboration in 30+ national and
European projects
https://distrinet.cs.kuleuven.be
4. Traditional Web Applications
4
POST newItem.phpDescription:
Deadline:
Add to List
Create New Task
Cooking
25/02/2015
25/02/2015
Overview
30/03/2015
Cooking
B-day party
Parse request
Store data
Retrieve all data
Generate HTML
Send response
Deadline Task
Add New
<html>
…
</html>
5. Traditional Web Applications
5
POST newItem.phpDescription:
Deadline:
Add to List
Create New Task
Cooking
25/02/2015
25/02/2015
Overview
30/03/2015
Cooking
B-day party
Parse request
Store data
Retrieve all data
Generate HTML
Send response
Deadline Task
Add New
<html>
…
</html>
6. Traditional Web Applications
6
GET sortBy?col=Task
Description:
Deadline:
Add to List
Create New Task
Cooking
25/02/2015
25/02/2015
Overview
30/03/2015
Cooking
B-day party
Parse request
Store data
Retrieve all data
Generate HTML
Send response
Deadline Task
Add New
Sorting API
25/02/2015
30/03/2015
Cooking
B-day party
Deadline Task
<table>
…
</table>
7. Single Page Applications
7
POST /items/
Description:
Deadline:
Add to List
Create New Task
Cooking
25/02/2015
Parse request
Store data
Send response
25/02/2015
Overview
30/03/2015
Cooking
B-day party
Deadline Task
Add New
25/02/2015
30/03/2015
Cooking
B-day party
Deadline Task
OK
8. Single Page Application Architecture
8
API
Client-Enforced
Security Policies
Storage Backend
Client-Side
Application
Server-Controlled
Security Policies
Client-Side Data
Storage
Session Data
Static Application
Files
Default Browser
Security Policies
API
Client-Enforced
Security Policies
Storage Backend
Static Application
Files
JavaScript APIs
9. Single Page Application Architecture
9
API
Client-Enforced
Security Policies
Storage Backend
Client-Side
Application
Server-Controlled
Security Policies
Client-Side Data
Storage
Session Data
Static Application
Files
Default Browser
Security Policies
API
Client-Enforced
Security Policies
Storage Backend
Static Application
Files
JavaScript APIs
10. Single Page Application Architecture
10
API
Client-Enforced
Security Policies
Storage Backend
Client-Side
Application
Server-Controlled
Security Policies
Client-Side Data
Storage
Session Data
Static Application
Files
Default Browser
Security Policies
API
Client-Enforced
Security Policies
Storage Backend
Static Application
Files
JavaScript APIs
11. Single Page Application Architecture
11
API
Client-Enforced
Security Policies
Storage Backend
Client-Side
Application
Server-Controlled
Security Policies
Client-Side Data
Storage
Session Data
Static Application
Files
Default Browser
Security Policies
API
Client-Enforced
Security Policies
Storage Backend
Static Application
Files
JavaScript APIs
Cookie Security flags
X-Frame-Options
Content Security Policy
Cross-Origin Resource Sharing
HTTP Strict Transport Security
HTTP Public Key Pinning
Subresource Integrity
…
12. Threats against Modern Web Applications
12
API
Client-Enforced
Security Policies
Storage Backend
Client-Side
Application
Server-Controlled
Security Policies
Client-Side Data
Storage
Session Data
Static Application
Files
Default Browser
Security Policies
API
Client-Enforced
Security Policies
Storage Backend
Static Application
Files
JavaScript APIs
13. Web Security has Become Complex
13
http://arstechnica.com/security/2015/04/no-joke-googles-april-fools-prank-inadvertently-broke-sites-security/
14. Web Security has Become Complex
14
http://arstechnica.com/security/2015/04/match-coms-http-only-login-page-puts-millions-of-passwords-at-risk/
15. Client-Side Web Security
15
§ Browser security policies govern client-side behavior
§ Default policies apply to all applications running in the browser
§ Same-origin policy restricts interactions within the browser
§ Depended upon by numerous countermeasures
§ Modern client-side security policies are server-driven
§ Tailored towards a specific web application
§ Prevent unauthorized actions within the browser
§ Often preceded by autonomous client-side countermeasures
17. Overview
17
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in EmberJS applications
§ Cross-Site Scripting
§ What is it and why should I care?
§ XSS Protection in EmberJS
§ Content Security Policy
§ CSP, a second line of defense against injection attacks
§ Keeping tabs on your CSP deployment
§ EmberJS and CSP in practice
18. Overview
18
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in EmberJS applications
§ Cross-Site Scripting
§ What is it and why should I care?
§ XSS Protection in EmberJS
§ Content Security Policy
§ CSP, a second line of defense against injection attacks
§ Keeping tabs on your CSP deployment
§ EmberJS and CSP in practice
19. Cross-Site Request Forgery Illustrated
19
some-shop.com
hackedblog.com
Login as Philippe
Hello Philippe
Show orders
List of orders
Show latest blog post
Latest blog post
Change email address
Sure thing, Philippe
20. The Essence of CSRF
20
§ The server is confused about the intentions of the user
§ Malicious sites can trigger unintended requests from the browser
§ Consequence of the ambient authority carried by the cookie
§ Common vulnerability
§ Illustrated by cases at Google, Facebook, eBay, …
§ Ranked #8 on OWASP top 10 (2013)
§ Countermeasures require explicit action by the developer
§ Often only focus on POST / PUT / DELETE
23. CSRF Defense 1: HTML tokens
23
§ Hide token within the page, and check upon form submission
§ Same-Origin Policy keeps this token out of reach for the attacker
some-shop.com
hackedblog.com
Account details page
Account details
Change email address
Sure thing, Philippe
Show latest blog post
Latest blog post
Change email address
CSRF token sadness L
24. CSRF Defense 1: HTML tokens
24
§ Hide token within the page, and check upon form submission
§ Same-Origin Policy keeps this token out of reach for the attacker
<form action=“submit.php”>
<input type=“hidden” name=“token”
value=“qasfj8j12adsjadu2223” />
…
</form>
TOKEN-BASED APPROACH
25. CSRF Defense 2: Origin Header
25
§ Check the origin header sent by the browser
§ Automatically added to state-changing requests (POST, PUT, DELETE)
some-shop.com
hackedblog.com
Change email address
Origin: some-shop.com
Sure thing, Philippe
Show latest blog post
Latest blog post
Change email address
Origin: hackedblog.com
Stranger danger! L
26. CSRF Defense 3: Transparent Tokens
26
§ Transparent token stored in cookie, checked in header
§ Security depends on the ability to read the cookie from JavaScript
some-shop.com
First request
Set-Cookie: session=…
Set-Cookie: CSRF-Token=123
Cookie: session=…
Cookie: CSRF-Token=123
Only the JS code on the page can
copy cookie value into header
X-CSRF-Token: 123
27. var csrf = require('csurf');
app.use(csrf());
app.use("/", function(req, res, next) {
res.cookie('XSRF-TOKEN', req.csrfToken());
next();
});
TRANSPARENT TOKENS
CSRF Defense 3: Transparent Tokens
27
§ Transparent token stored in cookie, checked in header
§ Security depends on the ability to read the cookie from JavaScript
28. CSRF Defense 3: Transparent Tokens
28
§ Transparent token stored in cookie, checked in header
§ Security depends on the ability to read the cookie from JavaScript
export default {
name: "CSRFProtection",
initialize() {
window.$.ajaxPrefilter(
function(options, originalOptions, xhr) {
if ( ! options.crossDomain ) {
var token = /XSRF-TOKEN=([^;]+)/.exec(document.cookie);
if(token) {
xhr.setRequestHeader('X-CSRF-Token', token[1]);
}
}
})}};
EMBERJS INITIALIZER
29. What with Authentication Tokens?
29
some-shop.com
hackedblog.com
Login as Philippe
Hello Philippe
Show orders
List of orders
Show latest blog post
Latest blog post
Change email address
Dude, where’s your token?
30. What with Authentication Tokens?
30
some-shop.com
hackedblog.com
Login as Philippe
Hello Philippe
Authorization: lakdjq9ajzj22
Show orders
Authorization: lakdjq9ajzj22
List of orders
Show latest blog post
Latest blog post
Change email address
Dude, where’s your token?
31. Overview
31
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in EmberJS applications
§ Cross-Site Scripting
§ What is it and why should I care?
§ XSS Protection in EmberJS
§ Content Security Policy
§ CSP, a second line of defense against injection attacks
§ Keeping tabs on your CSP deployment
§ EmberJS and CSP in practice
32. Overview
32
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in EmberJS applications
§ Cross-Site Scripting
§ What is it and why should I care?
§ XSS Protection in EmberJS
§ Content Security Policy
§ CSP, a second line of defense against injection attacks
§ Keeping tabs on your CSP deployment
§ EmberJS and CSP in practice
33. Cross-Site Scripting (XSS)
33
§ Injection of attacker-controlled script into victim application
§ Very common Web vulnerability
§ Ranked #3 in OWASP’s top 10 (2013)
§ Referred to as the buffer overflow of the Web
§ Why is XSS such a big deal?
§ Attacker can run code with your application’s privileges
§ Full access to page’s contents and resources
§ Full use of granted permissions
§ Launch platform for attack escalation (e.g. malware)
36. Cross-Site Scripting Payloads
36
§ XSS payload is often benign, just to show a proof of exploit
§ XSS payloads are only limited by your creativity
§ Session hijacking
§ Defacement
§ Undermining defenses (e.g. CSRF)
§ Keylogging
§ Network scanning
§ …
§ Can be used to launch a more elaborate attack
37. Apache.org Compromise
37
1. Report bug with obscured URL
containing reflected XSS attack
http://tinyurl.com/XXXXXXX
2. Admin opens link,
compromising their session
3. Attacker disable notifications
for a hosted project
4. Attacker changes upload
path to location that can
execute JSP files
5. Attacker added new bug
reports with JSP attachments
6. Attacker browses and copies
filesystem through JSP. Installs
backdoor JSP with webserver
privileges
http://blogs.apache.org/infra/entry/apache_org_04_09_2010
38. Apache.org Compromise
38
7. Attacker installs JAR to
collect passwords on login
8. Triggered logins by sending
out password reset mails
9. One of the passwords
matched an SSH account with
full sudo access
10. The accessible machine
had user home folders, with
cached subversion credentials
11. From the subversion
machine, privilege escalation
was unsuccessful
http://blogs.apache.org/infra/entry/apache_org_04_09_2010
39. Different Types of XSS
39
§ Different types of script injection
§ Persistent: stored data used in the response
§ Reflected: part of the URI used in the response
§ DOM-based: data used by client-side scripts
http://www.example.com/search?q=<script>alert(‘XSS’);</script>
<h1>You searched for<script>alert(‘XSS’);</script></h1>
REFLECTED XSS
40. Different Types of XSS
40
§ Different types of script injection
§ Persistent: stored data used in the response
§ Reflected: part of the URI used in the response
§ DOM-based: data used by client-side scripts
http://www.example.com/search?name=<script>alert(‘XSS’);</script>
<script>
name = document.URL.substring(document.URL.indexOf("name=")+5);
document.write(“<h1>Welcome “ + name + “</h1>”);
</script>
<h1>Welcome <script>alert(‘XSS’);</script></h1>
DOM-BASED XSS
41. Mitigating XSS
41
§ Secure coding practices
§ Do not rely on simple filters (e.g. removing <, >, &, “, ‘)
§ Use context-sensitive output encoding
• HTML body <h1>DATA</h1>
• HTML attributes <div id=‘DATA’>
• Stylesheet context body { background-color: DATA; }
• Script context alert(“DATA”);
• URL context <a href=“http://example.com?arg=DATA”>
§ Additional layers of defense
§ Browsers incorporate reflective XSS filters
§ Content Security Policy allows servers to prevent inline script execution
42. Overview
42
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in EmberJS applications
§ Cross-Site Scripting
§ What is it and why should I care?
§ XSS Protection in EmberJS
§ Content Security Policy
§ CSP, a second line of defense against injection attacks
§ Keeping tabs on your CSP deployment
§ EmberJS and CSP in practice
43. XSS and JS MVC Frameworks
43
§ JS MVC frameworks change the underlying architecture
§ Highly dynamic front ends, delivered as static application files
§ Data-oriented back ends
§ Difficult to match to traditional XSS countermeasures
§ Server lacks any context information about the data
§ More security responsibilities for the client-side application
§ Protect against injection attacks during data binding
50. Example: Allowing User-Provided Images
50
http://some-shop.com/coolcar.png
USER INPUT
GENERATED HTML
{{input type=“text” value=x}}
<div><img src={{x}} /></div>
EMBERJS TEMPLATE
51. Sanitizing Data in EmberJS
51
§ No built in capabilities to sanitize data
§ Use an external sanitization library
§ DOMPurify is fast and reliable
{{input type=“text” value=x}}
<div>{{sanitize-purify x}}</div>
EMBERJS TEMPLATE
52. Sanitizing Data in EmberJS
52
import Ember from 'ember';
import sanitizer from "../utils/dompurify";
export function sanitizePurify(params/*, hash*/) {
var text = params[0];
return Ember.String.htmlSafe(sanitizer.sanitize(text || ""))
}
export default Ember.Helper.helper(sanitizePurify);
EMBERJS SANITIZE HELPER
{{input type=“text” value=x}}
<div>{{sanitize-purify x}}</div>
EMBERJS TEMPLATE
53. Data Binding in EmberJS
53
§ {{ }} produces safe, escaped data
§ Use this to avoid shooting yourself in the foot
§ Use in the correct context, and EmberJS will do the escaping
§ {{{ }}} simply injects raw data, without escaping
§ Don’t use this… like … ever
§ Ember.String.htmlSafe(…) marks a string as safe
§ Will be injected without escaping, even when using {{ }}
§ Only use when you write the static html code yourself
§ Use a sanitizer if you need a selected set of HTML tags
§ Allows markup but removes dangerous features
54. Overview
54
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in EmberJS applications
§ Cross-Site Scripting
§ What is it and why should I care?
§ XSS Protection in EmberJS
§ Content Security Policy
§ CSP, a second line of defense against injection attacks
§ Keeping tabs on your CSP deployment
§ EmberJS and CSP in practice
55. Overview
55
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in EmberJS applications
§ Cross-Site Scripting
§ What is it and why should I care?
§ XSS Protection in EmberJS
§ Content Security Policy
§ CSP, a second line of defense against injection attacks
§ Keeping tabs on your CSP deployment
§ EmberJS and CSP in practice
57. The Essence of CSP
57
§ CSP reduces the harm of content injection vulnerabilities
§ By telling the client where resources should be loaded from
§ By disabling “dangerous features” by default
§ CSP is intended as a second line of defense
§ A policy consists of a set of directives
§ Each directive controls a different kind of resource
§ Policy is delivered as an HTTP header by the server
§ Compatible browsers will enforce the policy on the response
58. Introducing CSP by Example
58
<h1>You searched for<script>alert(‘XSS’);</script></h1>
XSS WITH INLINE SCRIPTS
<h1>You searched for<script src=“https://evil.com/hackme.js”></script></h1>
XSS WITH REMOTE SCRIPTS
eval('alert("Your query string was '
+ unescape(document.location.search) //hello%22);alert(1+%22
+ '");');
XSS WITH EVAL
59. Introducing CSP by Example
59
Content-Security-Policy:
default-src 'self';
EXAMPLE POLICY
Content-Security-Policy:
default-src 'self';
script-src ‘self’
https://cdnjs.cloudflare.com;
EXAMPLE POLICY
60. Content Security Policy
60
§ CSP started as a research paper by the Mozilla team
§ Aim to give administrator control over appearance of site
§ Aim to give users some confidence where data is sent to
§ Even in the presence of an attacker that controls content
§ By default, CSP will:
§ Prevent resources from being loaded from non-whitelisted locations
§ The use of eval()
§ Inline content from being executed
• Scripts and styles
61. Introducing CSP by Example
61
Content-Security-Policy:
default-src 'self';
script-src ‘self’
https://cdnjs.cloudflare.com;
style-src ‘self’
https://cdnjs.cloudflare.com/…/bootstrap.min.css;
EXAMPLE POLICY
62. CSP is the Security Policy of the Future
62
§ CSP has been well received, and evolved quickly
§ Addition of plugin types, sandbox, child contexts, form destinations
§ Additional spec adds UI Security Directives
§ Deprecates X-FRAME-OPTIONS header
§ Additional features to overcome implementation hurdles
§ Widely supported by browsers
§ Chrome makes CSP mandatory for its components
§ Browser extensions and packaged apps
63. A Quick Overview of CSP’s Directives
63
§ By default, CSP will:
§ Prevent resources from being loaded from non-whitelisted locations
§ default-src
§ Specifies the default sources of all content
§ Can be overwritten with more specific directives for each type
§ img-src, style-src, font-src, child-src, media-src, object-src
§ Specifies the sources of these content types
§ connect-src, form-action
§ Specifices the destination of these actions
§ Sandbox and frame-ancestors
64. Lifting Content Restrictions in CSP
64
§ script-src and style-src support the lifting of restrictions
§ By specifying ‘unsafe-inline’ and ‘unsafe-eval’
§ Not recommended, as this renders protection useless
§ CSP 1.1 supports nonces and hashes
§ Inline script and style blocks can be allowed
Content-Security-Policy:
script-src ‘self’ ‘nonce-RANDOM’;
EXAMPLE POLICY WITH A NONCE
<script nonce=“RANDOM”>…</script>
EXAMPLE USE OF A NONCE
65. Lifting Content Restrictions in CSP
65
§ script-src and style-src support the lifting of restrictions
§ By specifying ‘unsafe-inline’ and ‘unsafe-eval’
§ Not recommended, as this renders protection useless
§ CSP 1.1 supports nonces and hashes
§ Inline script and style blocks can be allowed
Content-Security-Policy:
script-src ‘self’ ‘nonce-a8qzj1r’;
EXAMPLE POLICY WITH A NONCE
<script nonce=“a8qzj1r”>…</script>
EXAMPLE USE OF A NONCE
66. Dynamically Applying Styles without unsafe-inline
66
§ Sometimes, styles need to be applied dynamically from JS
§ Triggers CSP warnings, requiring the use of unsafe-inline for styles
67. Dynamically Applying Styles without unsafe-inline
67
§ Sometimes, styles need to be applied dynamically from JS
§ Triggers CSP warnings, requiring the use of unsafe-inline for styles
§ Fixed by using DOM manipulation
§ Not inline style, because this can not be injected directly
§ Would require a script injection attack first, which CSP also covers
68. CSP Examples
68
Goal: Load no external resources
Content-Security-Policy:
default-src ‘self’;
EXAMPLE POLICY
Goal: Load all content over HTTPS
Content-Security-Policy:
default-src https: ‘unsafe-inline’ ‘unsafe-eval’;
EXAMPLE POLICY
69. Overview
69
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in EmberJS applications
§ Cross-Site Scripting
§ What is it and why should I care?
§ XSS Protection in EmberJS
§ Content Security Policy
§ CSP, a second line of defense against injection attacks
§ Keeping tabs on your CSP deployment
§ EmberJS and CSP in practice
70. CSP Violation Reports
70
§ CSP can report violations back to the resource server
§ Allows for fine-tuning of the CSP policy
§ Gives insights in actual attacks
§ Enabled by using the report-uri directive
§ Points to a handler on the server that can process reports
Content-Security-Policy:
default-src 'self';
report-uri http://some-shop.com/csp-report.cgi
EXAMPLE POLICY
72. CSP in Report-Only Mode
72
§ CSP can be deployed in reporting mode
§ No content will be blocked
§ Warnings will be generated in console
§ If report-uri is specified, error reports will be sent
§ Great for trying out policies before deploying them
Content-Security-Policy-Report-Only:
default-src 'self';
report-uri http://some-shop.com/csp-report.cgi
REPORT-ONLY POLICY
73. Overview
73
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in EmberJS applications
§ Cross-Site Scripting
§ What is it and why should I care?
§ XSS Protection in EmberJS
§ Content Security Policy
§ CSP, a second line of defense against injection attacks
§ Keeping tabs on your CSP deployment
§ EmberJS and CSP in practice
75. EmberJS Enables CSP by Default
75
§ Taken care of by ember-cli-content-security-policy
§ Also adds unafe-eval in development mode
§ Also adds live-reload requirements (not shown here)
Content-Security-Policy-Report-Only:
default-src ‘none';
script-src ‘self’;
font-src ‘self’;
img-src ‘self’;
style-src ‘self’;
media-src ‘self’;
connect-src ‘self’ http://0.0.0.0:4200/csp-report;
report-uri http://0.0.0.0:4200/csp-report;
EMBERJS DEFAULT CSP POLICY
76. Updating the EmberJS CSP Policy
76
§ CSP policy can be updated through environment.js
ENV.contentSecurityPolicyHeader = "Content-Security-Policy"
ENV.contentSecurityPolicy = {
'default-src': "'none'",
'script-src': "'self’ https://",
'font-src': "'self'",
'connect-src': "'self'",
'img-src': "'self'",
'style-src': "'self’ https://maxcdn.bootstrapcdn.com",
'media-src': "'self'”
}
UPDATING THE EMBERJS CSP POLICY
77. Overview
77
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in EmberJS applications
§ Cross-Site Scripting
§ What is it and why should I care?
§ XSS Protection in EmberJS
§ Content Security Policy
§ CSP, a second line of defense against injection attacks
§ Keeping tabs on your CSP deployment
§ EmberJS and CSP in practice
78. Overview
78
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in EmberJS applications
§ Cross-Site Scripting
§ What is it and why should I care?
§ XSS Protection in EmberJS
§ Content Security Policy
§ CSP, a second line of defense against injection attacks
§ Keeping tabs on your CSP deployment
§ EmberJS and CSP in practice
79. Action Points for Tomorrow
79
1. Check whether your APIs are vulnerable to CSRF attacks
§ Enable CSRF mitigation through transparent tokens
2. Make sure you refrain from using {{{ }}}
§ Let EmberJS do its contextual escaping
§ Use a sanitizer where necessary
3. Look into your CSP policy
§ Try to get rid of the unsafe-inline and unsafe-eval statements
§ Make the policy as strict as possible
§ Share your findings!
81. Progressive Web Security Training Course
81
§ Hardening your Applications for a Rocky Future
§ 4 one-day hands-on sessions
§ We cover 4 important Web security topics
1. Why simply deploying HTTPS will not get you an A+ grade
2. How to avoid common pitfalls in authentication and authorization on the Web
3. Why modern security technologies will eradicate XSS
4. Four new browser communication mechanisms, and how they affect your
application
https://distrinet.cs.kuleuven.be/events/
82. Securing your EmberJS Application
Special thanks to Aad Versteden for
his practical EmberJS insights
Acknowledgements
Icons by Visual Pharm (https://icons8.com)
83. Securing your EmberJS Application
Philippe De Ryck
philippe.deryck@cs.kuleuven.be
/in/philippederyck
https://distrinet.cs.kuleuven.be/events/websecurity/
@PhilippeDeRyck