The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against developing mental illness and improve symptoms for those who already suffer from conditions like anxiety and depression.
Participar significa ser parte o tomar parte en algo, decidir tu palabra y decidir tu propio destino. Participar en clase es estar atenta y decir una opinión que entendiste del tema tratado.
Este documento presenta un gráfico diario del S&P 500 del 27 de febrero de 2015 que muestra las medias simples de 2, 5, 13, 34, 89, 233 y 610 períodos. Explica que las tendencias se definen por las medias simples y son niveles de soporte y resistencia. Proporciona indicaciones técnicas sobre posibles movimientos futuros del S&P 500 basadas en si supera o pierde ciertos niveles clave. El objetivo es observar cómo las medias simples pueden orientar sobre el comportamiento del mercado
Nevirapine levels were measured in plasma and breast milk of 120 Ugandan women who received single-dose nevirapine to prevent mother-to-child HIV transmission. At 1 week postpartum, nevirapine was detected in all plasma samples and 92% of breast milk samples, with median levels of 171 ng/mL and 112 ng/mL respectively. HIV viral loads in both plasma and breast milk dropped significantly by 1 week. Nevirapine was still detectable in plasma through 4 weeks but levels decreased over time. HIV viral loads in plasma and breast milk were highly correlated at delivery.
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against developing mental illness and improve symptoms for those who already suffer from conditions like anxiety and depression.
Participar significa ser parte o tomar parte en algo, decidir tu palabra y decidir tu propio destino. Participar en clase es estar atenta y decir una opinión que entendiste del tema tratado.
Este documento presenta un gráfico diario del S&P 500 del 27 de febrero de 2015 que muestra las medias simples de 2, 5, 13, 34, 89, 233 y 610 períodos. Explica que las tendencias se definen por las medias simples y son niveles de soporte y resistencia. Proporciona indicaciones técnicas sobre posibles movimientos futuros del S&P 500 basadas en si supera o pierde ciertos niveles clave. El objetivo es observar cómo las medias simples pueden orientar sobre el comportamiento del mercado
Nevirapine levels were measured in plasma and breast milk of 120 Ugandan women who received single-dose nevirapine to prevent mother-to-child HIV transmission. At 1 week postpartum, nevirapine was detected in all plasma samples and 92% of breast milk samples, with median levels of 171 ng/mL and 112 ng/mL respectively. HIV viral loads in both plasma and breast milk dropped significantly by 1 week. Nevirapine was still detectable in plasma through 4 weeks but levels decreased over time. HIV viral loads in plasma and breast milk were highly correlated at delivery.
Ngôn ngữ lập trình PHP và MySQL - khoahoclaptrinhweb.tin.vnTrình Kim Ngân
lập trình php, học php, khoá học php, khoá học lập trình với php, khoá học lập trình web với php, lap trinh php, hoc php, khoa hoc php, khoa hoc lap trinh voi php, khoa hoc lap trinh web voi php, tự học lập trình PHP, tu hoc php
Ngôn ngữ lập trình PHP và MySQL - khoahoclaptrinhweb.tin.vnTrình Kim Ngân
lập trình php, học php, khoá học php, khoá học lập trình với php, khoá học lập trình web với php, lap trinh php, hoc php, khoa hoc php, khoa hoc lap trinh voi php, khoa hoc lap trinh web voi php, tự học lập trình PHP, tu hoc php
1. H I TH O B O M TỘ Ả Ả ẬH I TH O B O M TỘ Ả Ả Ậ
Chuyên đ :ềChuyên đ :ề WEB APPLICATIONWEB APPLICATION
2. T m quan tr ng c a b o m t máyầ ọ ủ ả ậT m quan tr ng c a b o m t máyầ ọ ủ ả ậ
tính:tính:
““If you know the enemy and know yourself,If you know the enemy and know yourself,
you need not fear the result of a hundred battles”you need not fear the result of a hundred battles”
3. T m quan tr ng c a b o m t máyầ ọ ủ ả ậT m quan tr ng c a b o m t máyầ ọ ủ ả ậ
tính:tính:
4. N I DUNG:ỘN I DUNG:Ộ
HTTP HijackingHTTP Hijacking
L i b o m t Cross Site Scripting (XSS)ỗ ả ậL i b o m t Cross Site Scripting (XSS)ỗ ả ậ
L i b o m t SQL Injectionỗ ả ậL i b o m t SQL Injectionỗ ả ậ
5. Ph n 1: “Chôm” tài kho n Y/G mailầ ảPh n 1: “Chôm” tài kho n Y/G mailầ ả
Câu chuy n th 1: Sniffingệ ứCâu chuy n th 1: Sniffingệ ứ
17. XSS là gì?XSS là gì?
<?php
$tim = $_GET['search'];
echo "Ban da tim tu khoa la: $tim";
?>
18. XSS là gì?XSS là gì?
http://victim.com/foo.cgi?http://victim.com/foo.cgi?
q=<html_javascript_exploit_code>...q=<html_javascript_exploit_code>...
19. Kh năng khai thác:ảKh năng khai thác:ả
Đánh c p cookie sessionắĐánh c p cookie sessionắ
Th c thi “command”ựTh c thi “command”ự
PhishingPhishing
Redirect other websiteRedirect other website
Deface or DoS web pageDeface or DoS web page
22. SQL querySQL query
Select …. From …. WhereSelect …. From …. Where
Insert into …Insert into …
Update …. Set …..Update …. Set …..
Delete from ….Delete from ….
24. SQL InjectionSQL Injection
Khai thác d a trên l i không ki m tra bi n đ uự ỗ ể ế ầKhai thác d a trên l i không ki m tra bi n đ uự ỗ ể ế ầ
vàovào
Giá tr bi n đ c s d ng trong câu truy v n dị ế ượ ử ụ ấ ữGiá tr bi n đ c s d ng trong câu truy v n dị ế ượ ử ụ ấ ữ
li uệli uệ
Attacker thay đ i giá tr nh p li u d n đ n thayổ ị ậ ệ ẫ ếAttacker thay đ i giá tr nh p li u d n đ n thayổ ị ậ ệ ẫ ế
đ i ho t đ ng câu truy v n và th c thi đ cổ ạ ộ ấ ự ượđ i ho t đ ng câu truy v n và th c thi đ cổ ạ ộ ấ ự ượ
SQL command.SQL command.
In this session, we will focus on security fundamentals. Specifically, we will discuss:
Why application security matters.
Secure development practices.
The range of security technologies that are available.
How developers should consider security at all stages of the development process.
In this agenda topic, we will focus on the importance of application security. Specifically, we will discuss:
Trustworthy computing.
Connection scenarios and security concerns.
Common types of attacks on software systems.
Examples of security intrusions.
Consequences of poor security.
The challenges involved in secure computing.
The role of developers in creating secure applications.
Workforce mobility is increasing, and consequently, the way in which employees connect to your company’s network is evolving. Employees connect in a number of different ways, including traditional wired connections, new and evolving wireless network standards, and dial-up and broadband virtual private network (VPN) connections.
The variety of ways your mobile users connect to your company’s network introduces a number of security concerns, including:
Wireless susceptibility. Although wireless networks can be as secure as wired networks if administered properly, by default, many wireless networks provide the opportunity for any compatible device to connect in an ad-hoc manner.
Employee home security. Many employees have wireless networks at home, and may not be aware of the issues that are involved with securing this type of network. Furthermore, always-on broadband connections make home networks (whether wireless or not) more susceptible to viruses and attackers. The potential susceptibility of home networks may result in viruses or attackers gaining access to your corporate network, either when the user connects over a VPN or when they physically plug their computers into the network on your company’s premises. Although virus checkers and firewalls can help secure home networks and broadband connections, it is often difficult for your network administrators to enforce the use of these defences.
Employees increasingly use their laptop computers and other mobile devices to connect to wireless networks run by third parties. For example, they might connect to WiFi hotspots in coffee houses, airports, hotels, and other places to check their e-mail or to browse the Internet. Because your company has no control over the security of these public networks, they provide a potential route for attackers or viruses. As with home networks, this may result in viruses or attackers gaining access to your corporate network, either when the user connects over a VPN or when they physically plug their computers into the network on your company’s premises.
Applications are becoming increasingly dependant on connections to the Internet, for updated data, Web services, and so on. The Internet is a potential route to your systems for attackers and viruses.
Many businesses require a persistent connection to the Internet so that they can provide Web sites, File Transfer Protocol (FTP) site, and Web services. As already stated, the Internet is a potential route to your systems for attackers and viruses.
Security attacks will also still happen from within your enterprise. This could be as simple as an employee who writes down a password which then falls into the wrong hands, or it could be deliberate actions from a disgruntled employee. It is important to remember that security is not just required for public facing connections.
Organizational attacks involve one organization breaking into your network to try to access confidential information, thereby gaining a business advantage.
Attackers like to exercise their skill in attempting to bypass security safeguards to gain illegal access to your network.
Automated attacks use software to scan for network vulnerabilities, or to implement a brute force attack. Brute force attacks involve trying many different usernames and passwords or other credentials to gain access to your resources.
Denial of Service attacks overwhelm a server with requests for action, thereby rendering it incapable of providing its normal service.
Viruses, Trojan horse, and worms are harmful programs that act by exploiting some known vulnerability to install themselves on a computer (perhaps by entering as an attachment to an e-mail). Once present on a computer, they distributes copies of themselves to other connected computers, and these copies also replicate themselves, resulting in a viral-like infection of the computer network.
Accidental breaches in security often result from poor practices or procedures. For example, the exposure of security information, such as usernames and passwords, can be exploited by an attacker to gain access to your network.
CodeRed is a worm that:
Uses randomly generated IP addresses to spread. If the worm infects a vulnerable IIS server, it creates 100 threads first. Out of those initial 100 threads, it uses 99 threads to spread the worm while the 100th thread checks to see if it is running on a English (U.S.) Microsoft Windows NT® or Windows 2000 system. If the infected system is found to be an English (U.S.) system, the worm will proceed to deface the infected system’s website.
Exploits an unchecked buffer overrun in Microsoft Index Server 2.0, a component of Internet Information Services (IIS) servers.
Includes code designed to overwhelm the www.whitehouse.gov website.
ILOVEYOU is a virus that:
Is contained in an e-mail attachment called LOVE LETTER FOR YOU.TXT.VBS (a Visual Basic Script file).
Relies on the e-mail recipient opening the attachment.
Deletes image files and MP3 files.
Corrupts the registry.
Spreads by copying the e-mail to all users in the address book.
Nimda is a virus that:
Spreads itself in e-mail attachments named README.EXE.
Locates EXE files on the local computer and infects them by copying the virus file inside their body as a resource. These files then spread the infection when users exchange programs such as games.
Scans the Internet for vulnerable servers and defaces Web pages on those servers, leading to further propagation of the worm through users browsing the infected sites.
Infects network shares, causing any user who opens a Word document on those shares to become infected.
Reads e-mail addresses from your e-mail client and also searches local HTML files looking for additional addresses. It then sends one e-mail to each address containing the README.EXE attachment.
Poor security will result in serious damage to your business.
Your competitors may gain knowledge of your systems or technology, denying you any competitive advantage. Competitors may also be able to copy your ideas or technology and put them to advantage in their own products.
An attack may result in your systems being taken offline while the damage is assessed and rectified.
All effort expended combating security attacks and repairing the damage is lost productivity. This time and effort could have been spent pursuing the business goals of your enterprise.
Your business reputation will be damaged. When security lapses are reported, the assumption is that if your systems security is bad, then many of your other practices will also be bad. It is easy to come to the conclusion that your products and systems are equally poor.
Consumers who are unable to use your website because it has been hacked, or who see a defaced website, will visit your competitors’ websites instead.
The financial losses from security intrusions can be substantial. It is difficult to determine the exact cost of issuing a security fix, but the Microsoft Security Response Center believes a security bug that requires a security bulletin costs approximately $100,000.
The challenges faced when implementing security include balancing the advantages that the attacker has over the defenders, and how the degree of security affect users, as well as conveying the message that security does add business value.
Attackers vs. Defenders:
The defender must protect all points; the attacker can choose the weakest point.
The defender must be constantly vigilant; the attacker can attack at any time.
Security vs. Usability:
Security can be taken to extremes, making the application too difficult to use. Secure developers should strive to make the system as secure as possible, but not to make it impossible to use.
Complex and strong passwords are those that must contain a mixture of uppercase and lowercase letters, and possibly punctuation characters. They must also be long – perhaps 9 or more characters in length.
However, there is often user resistance to strong passwords, because they are more difficult to remember. As soon as a user decides to write down a password so that they can remember it, your security is compromised.
Security As An Afterthought:
Security is often seen as a functionality disabler, as something that gets in the way. However, there is nothing more disabling than an attacker being able to get at your sensitive data. There is also a perception that the cost of implementing security is high and the business benefits are unclear. However, the cost of poor security can be very high, and in exceptional circumstances, could result in business failure.
Building security in from the start is essential to ensure a robust solution. If security is the last issue addressed, fixing of any security vulnerabilities that are discovered may break other product functionality, and in common with any other late changes in the product development cycle, it is much more expensive than if security is designed in in the first place.
The challenges faced when implementing security include balancing the advantages that the attacker has over the defenders, and how the degree of security affect users, as well as conveying the message that security does add business value.
Attackers vs. Defenders:
The defender must protect all points; the attacker can choose the weakest point.
The defender must be constantly vigilant; the attacker can attack at any time.
Security vs. Usability:
Security can be taken to extremes, making the application too difficult to use. Secure developers should strive to make the system as secure as possible, but not to make it impossible to use.
Complex and strong passwords are those that must contain a mixture of uppercase and lowercase letters, and possibly punctuation characters. They must also be long – perhaps 9 or more characters in length.
However, there is often user resistance to strong passwords, because they are more difficult to remember. As soon as a user decides to write down a password so that they can remember it, your security is compromised.
Security As An Afterthought:
Security is often seen as a functionality disabler, as something that gets in the way. However, there is nothing more disabling than an attacker being able to get at your sensitive data. There is also a perception that the cost of implementing security is high and the business benefits are unclear. However, the cost of poor security can be very high, and in exceptional circumstances, could result in business failure.
Building security in from the start is essential to ensure a robust solution. If security is the last issue addressed, fixing of any security vulnerabilities that are discovered may break other product functionality, and in common with any other late changes in the product development cycle, it is much more expensive than if security is designed in in the first place.
Solution architects, developers, and systems administration personnel must all work together and take collective responsibility for security.
Developers must adopt good practices that ensure the production of secure software. They must be knowledgeable about security vulnerabilities and how to avoid them, and must have both a broad and deep knowledge about security technologies and how to use them in order to create secure solutions.
A holistic approach to security is required. You must consider security at all project stages and for network, host, and application layers.
Even if you have the most secure network infrastructure possible, with completely hardened servers, a simple vulnerability in your application (for example, failing to validate input) renders all of that useless. A holistic approach to security is simply a mindset that developers should adopt. It forms the basis for specific architectures, such as Defense in Depth (DiD), which is explained in the “Writing Secure Code – Best Practices” presentation.
In short, you need to &quot;bake security into your application development lifecycle&quot;. For step-by-step guidance on how to achieve this, refer to the Patterns and Practices documentation at http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMFastTrack.asp
The Secure Windows Initiative team at Microsoft has adopted a simple set of strategies called SD3. The SD3 framework has three core concepts: Secure by Design, Secure by Default, and Secure in Deployment. These concepts have shaped the development process to help deliver secure systems.
Secure by Design means that you have taken the appropriate steps to ensure that the overall design of the product is secure from the outset. Include threat modeling at the design phase and throughout the project to identify potential vulnerabilities. Use secure design, coding, and testing guidelines.
Secure by Default means that the product is released so that it is secure out of the box. If features are optional, and you can turn them off by default. If a feature is not activated, then an attacker cannot use it to compromise your product. Ensure that only the least amount of privilege is required by user accounts to run your application. Then a compromise can have less serious consequences than if an attacker is able to run malicious code under an account with administrator privileges. Ensure that effective access controls are in place for resources.
Secure in Deployment means that the system is maintainable after installation. If a product is difficult to administer, it makes it more difficult to maintain protection against security threats as new ones evolve. Ensure that users are educated to use the system in a secure manner. If a security vulnerability is discovered and a patch is necessary, ensure that the fix is fully tested internally and then issued in a timely manner.
A holistic approach to security is required. You must consider security at all project stages and for network, host, and application layers.
Even if you have the most secure network infrastructure possible, with completely hardened servers, a simple vulnerability in your application (for example, failing to validate input) renders all of that useless. A holistic approach to security is simply a mindset that developers should adopt. It forms the basis for specific architectures, such as Defense in Depth (DiD), which is explained in the “Writing Secure Code – Best Practices” presentation.
In short, you need to &quot;bake security into your application development lifecycle&quot;. For step-by-step guidance on how to achieve this, refer to the Patterns and Practices documentation at http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMFastTrack.asp
A holistic approach to security is required. You must consider security at all project stages and for network, host, and application layers.
Even if you have the most secure network infrastructure possible, with completely hardened servers, a simple vulnerability in your application (for example, failing to validate input) renders all of that useless. A holistic approach to security is simply a mindset that developers should adopt. It forms the basis for specific architectures, such as Defense in Depth (DiD), which is explained in the “Writing Secure Code – Best Practices” presentation.
In short, you need to &quot;bake security into your application development lifecycle&quot;. For step-by-step guidance on how to achieve this, refer to the Patterns and Practices documentation at http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMFastTrack.asp
It is crucial that security is built into the entire development lifecycle from architecture and design, through development, testing, deployment, and operations.
The activities shown on this slide are iterative and ongoing. These activities are not one-off activities – they continue throughout the development lifecycle.
It is crucial that security is built into the entire development lifecycle from architecture and design, through development, testing, deployment, and operations.
The activities shown on this slide are iterative and ongoing. These activities are not one-off activities – they continue throughout the development lifecycle.
You cannot build a secure system until you understand your threats, because you will not know what to defend against.
Threat modelling is covered in more detail in the “Writing Secure Code – Best Practices” presentation.
The threat modelling process is as follows:
Assemble the threat-modelling team.
Decompose the application and analyze its operation by using data flow diagrams (DFD) or similar.
Examine the data flows and use cases and determine the threats to the system.
Rank the threats by decreasing risk.
Choose how to respond to the threats.
Choose techniques to mitigate the threats.
Choose the appropriate security technologies for the identified techniques.
An important part of delivering secure systems is raising awareness of the needs for secure programming and keeping all users up to date with ongoing security education.
It is important for all team members to understand how security technologies work. Without that knowledge, you cannot be an effective team member when taking part in threat modelling, or in doing security code reviews.
However, understanding security technologies on their own does not mean that your application is secure. It is important not only to know how the technologies work, but how to use them to solve security problems.
It is essential that programmers know what flawed code looks like so that they can pick up vulnerabilities in code reviews.
Developers need to be fully aware of common security mistakes and know how to avoid or rectify them.
Analysis of any vulnerable code is important so that the same mistake can be avoided in the future, and similar vulnerabilities elsewhere in the product can be identified and resolved.
An important part of delivering secure systems is raising awareness of the needs for secure programming and keeping all users up to date with ongoing security education.
It is important for all team members to understand how security technologies work. Without that knowledge, you cannot be an effective team member when taking part in threat modelling, or in doing security code reviews.
However, understanding security technologies on their own does not mean that your application is secure. It is important not only to know how the technologies work, but how to use them to solve security problems.
It is essential that programmers know what flawed code looks like so that they can pick up vulnerabilities in code reviews.
Developers need to be fully aware of common security mistakes and know how to avoid or rectify them.
Analysis of any vulnerable code is important so that the same mistake can be avoided in the future, and similar vulnerabilities elsewhere in the product can be identified and resolved.
An important part of delivering secure systems is raising awareness of the needs for secure programming and keeping all users up to date with ongoing security education.
It is important for all team members to understand how security technologies work. Without that knowledge, you cannot be an effective team member when taking part in threat modelling, or in doing security code reviews.
However, understanding security technologies on their own does not mean that your application is secure. It is important not only to know how the technologies work, but how to use them to solve security problems.
It is essential that programmers know what flawed code looks like so that they can pick up vulnerabilities in code reviews.
Developers need to be fully aware of common security mistakes and know how to avoid or rectify them.
Analysis of any vulnerable code is important so that the same mistake can be avoided in the future, and similar vulnerabilities elsewhere in the product can be identified and resolved.
An important part of delivering secure systems is raising awareness of the needs for secure programming and keeping all users up to date with ongoing security education.
It is important for all team members to understand how security technologies work. Without that knowledge, you cannot be an effective team member when taking part in threat modelling, or in doing security code reviews.
However, understanding security technologies on their own does not mean that your application is secure. It is important not only to know how the technologies work, but how to use them to solve security problems.
It is essential that programmers know what flawed code looks like so that they can pick up vulnerabilities in code reviews.
Developers need to be fully aware of common security mistakes and know how to avoid or rectify them.
Analysis of any vulnerable code is important so that the same mistake can be avoided in the future, and similar vulnerabilities elsewhere in the product can be identified and resolved.
The challenges faced when implementing security include balancing the advantages that the attacker has over the defenders, and how the degree of security affect users, as well as conveying the message that security does add business value.
Attackers vs. Defenders:
The defender must protect all points; the attacker can choose the weakest point.
The defender must be constantly vigilant; the attacker can attack at any time.
Security vs. Usability:
Security can be taken to extremes, making the application too difficult to use. Secure developers should strive to make the system as secure as possible, but not to make it impossible to use.
Complex and strong passwords are those that must contain a mixture of uppercase and lowercase letters, and possibly punctuation characters. They must also be long – perhaps 9 or more characters in length.
However, there is often user resistance to strong passwords, because they are more difficult to remember. As soon as a user decides to write down a password so that they can remember it, your security is compromised.
Security As An Afterthought:
Security is often seen as a functionality disabler, as something that gets in the way. However, there is nothing more disabling than an attacker being able to get at your sensitive data. There is also a perception that the cost of implementing security is high and the business benefits are unclear. However, the cost of poor security can be very high, and in exceptional circumstances, could result in business failure.
Building security in from the start is essential to ensure a robust solution. If security is the last issue addressed, fixing of any security vulnerabilities that are discovered may break other product functionality, and in common with any other late changes in the product development cycle, it is much more expensive than if security is designed in in the first place.
The challenges faced when implementing security include balancing the advantages that the attacker has over the defenders, and how the degree of security affect users, as well as conveying the message that security does add business value.
Attackers vs. Defenders:
The defender must protect all points; the attacker can choose the weakest point.
The defender must be constantly vigilant; the attacker can attack at any time.
Security vs. Usability:
Security can be taken to extremes, making the application too difficult to use. Secure developers should strive to make the system as secure as possible, but not to make it impossible to use.
Complex and strong passwords are those that must contain a mixture of uppercase and lowercase letters, and possibly punctuation characters. They must also be long – perhaps 9 or more characters in length.
However, there is often user resistance to strong passwords, because they are more difficult to remember. As soon as a user decides to write down a password so that they can remember it, your security is compromised.
Security As An Afterthought:
Security is often seen as a functionality disabler, as something that gets in the way. However, there is nothing more disabling than an attacker being able to get at your sensitive data. There is also a perception that the cost of implementing security is high and the business benefits are unclear. However, the cost of poor security can be very high, and in exceptional circumstances, could result in business failure.
Building security in from the start is essential to ensure a robust solution. If security is the last issue addressed, fixing of any security vulnerabilities that are discovered may break other product functionality, and in common with any other late changes in the product development cycle, it is much more expensive than if security is designed in in the first place.