Presentation about Sitecore and common security flaws that was given on the SUGCON conference in Copenhagen, Denmark. Find sources on https://github.com/BasLijten/Securitycore
Design Patterns on Sitecore: The Good, the Bad and the UglyMichael Reynolds
The document discusses design patterns in software development. It provides definitions of design patterns and their history, then discusses the decorator and template method patterns through examples. Design patterns describe reusable solutions to common programming problems and provide a common vocabulary for developers. The decorator pattern allows adding or modifying object behavior at run-time by placing them inside decorator objects. The template method pattern defines an algorithm in an abstract base class with placeholders for subclasses to implement.
This document compares the security features of several content management systems (CMS): Drupal, Joomla, WordPress, Liferay, and SharePoint. It discusses their code repositories, APIs, security management models, hosting platforms, and security tools. For each CMS, it provides details on their approach to permissions, authentication, vulnerability assessment, hardening, and continuous monitoring. It also notes a past security incident with Drupal's website being compromised.
CSF18 - Securing the Cloud - Karim El-MelhaouiNCCOMMS
This document discusses securing cloud infrastructure through policy as code and post-exploitation techniques. It provides an overview of implementing policy as code in Azure and AWS to automate governance and enforce basic security rules. It also covers detection techniques in Azure and AWS including using logs, security services, and compliance monitoring. The document demonstrates post-exploitation tactics an attacker could use like password spraying, creating backdoors, and persisting access. It emphasizes the importance of just-in-time access, secure authentication, monitoring, and avoiding overprivileged cloud administrator roles.
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Stenio Ferreira
The document discusses using Vault to securely manage secrets for applications deployed to Pivotal Cloud Foundry (PCF). It describes the typical Vault workflow, how Spring Cloud Vault can integrate Vault with PCF applications, and challenges with this approach. It then introduces the Vault PCF Service Broker, which solves issues by binding applications to Vault upon deployment, generating unique policies and tokens, and injecting credentials as environment variables. It demonstrates the service broker configuration and usage, and discusses limitations including that apps are still responsible for interacting with Vault and bootstrapping secrets.
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
The document discusses security best practices and features for MariaDB and MaxScale databases. It describes threats like SQL injection, denial of service attacks, and excessive trust. It recommends defenses like limiting network access, restricting user privileges, and enabling encryption, auditing, and firewall features. It also explains how MaxScale provides selective data masking, database firewall filtering, and other protections to prevent unauthorized access and secure sensitive data.
The future of Hadoop security and its evolution by Alejandro González at Big ...Big Data Spain
The document discusses the future of Hadoop security and its evolution. It outlines what Hadoop users want to do in terms of security like protect data, be compliant, and anonymize data. It then summarizes the security measures the Hadoop community has implemented so far like authorization, auditing, encryption, and authentication methods. Finally, it outlines the next steps for Hadoop security which include scaling security administration, centralizing identity management, common security across clusters in the cloud, attribute based access control, single sign on, and centralized security dashboards.
Design Patterns on Sitecore: The Good, the Bad and the UglyMichael Reynolds
The document discusses design patterns in software development. It provides definitions of design patterns and their history, then discusses the decorator and template method patterns through examples. Design patterns describe reusable solutions to common programming problems and provide a common vocabulary for developers. The decorator pattern allows adding or modifying object behavior at run-time by placing them inside decorator objects. The template method pattern defines an algorithm in an abstract base class with placeholders for subclasses to implement.
This document compares the security features of several content management systems (CMS): Drupal, Joomla, WordPress, Liferay, and SharePoint. It discusses their code repositories, APIs, security management models, hosting platforms, and security tools. For each CMS, it provides details on their approach to permissions, authentication, vulnerability assessment, hardening, and continuous monitoring. It also notes a past security incident with Drupal's website being compromised.
CSF18 - Securing the Cloud - Karim El-MelhaouiNCCOMMS
This document discusses securing cloud infrastructure through policy as code and post-exploitation techniques. It provides an overview of implementing policy as code in Azure and AWS to automate governance and enforce basic security rules. It also covers detection techniques in Azure and AWS including using logs, security services, and compliance monitoring. The document demonstrates post-exploitation tactics an attacker could use like password spraying, creating backdoors, and persisting access. It emphasizes the importance of just-in-time access, secure authentication, monitoring, and avoiding overprivileged cloud administrator roles.
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Stenio Ferreira
The document discusses using Vault to securely manage secrets for applications deployed to Pivotal Cloud Foundry (PCF). It describes the typical Vault workflow, how Spring Cloud Vault can integrate Vault with PCF applications, and challenges with this approach. It then introduces the Vault PCF Service Broker, which solves issues by binding applications to Vault upon deployment, generating unique policies and tokens, and injecting credentials as environment variables. It demonstrates the service broker configuration and usage, and discusses limitations including that apps are still responsible for interacting with Vault and bootstrapping secrets.
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
The document discusses security best practices and features for MariaDB and MaxScale databases. It describes threats like SQL injection, denial of service attacks, and excessive trust. It recommends defenses like limiting network access, restricting user privileges, and enabling encryption, auditing, and firewall features. It also explains how MaxScale provides selective data masking, database firewall filtering, and other protections to prevent unauthorized access and secure sensitive data.
The future of Hadoop security and its evolution by Alejandro González at Big ...Big Data Spain
The document discusses the future of Hadoop security and its evolution. It outlines what Hadoop users want to do in terms of security like protect data, be compliant, and anonymize data. It then summarizes the security measures the Hadoop community has implemented so far like authorization, auditing, encryption, and authentication methods. Finally, it outlines the next steps for Hadoop security which include scaling security administration, centralizing identity management, common security across clusters in the cloud, attribute based access control, single sign on, and centralized security dashboards.
This document provides information on secure coding practices for data protection. It discusses classifying data based on sensitivity, encrypting data at rest and in transit, implementing HTTPS securely, using certificate pinning and HTTP Strict Transport Security (HSTS). It also covers least privilege principles, avoiding data leakage, enforcing same-origin policy, and managing cross-origin access controls. The document is a training from an IT security consultant on best practices for secure coding.
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
The Notorious 9: Is Your Data Secure in the Cloud?BCS ProSoft
The first part of this presentation is designed to scare the cloud out of you by talking about some of the common and often overlooked concerns with cloud security. Then we'll bring you right back by showing you how cloud technology publishers as well as VARS, like BCS Prosoft are taking steps to mitigate potential threats and keep you business up and running 24/7/365.
This document discusses how network monitoring can be used to detect and manage threats. It describes Cisco's Stealthwatch solution, which leverages NetFlow data to provide network visibility. Stealthwatch collects and analyzes NetFlow records to generate conversational flow records that provide context about network communications. This enriched flow data can be used to identify anomalies, track indicators of compromise, and monitor for potential insider threats or data exfiltration. The document also outlines how Stealthwatch features like host groups, reports, behavioral analysis and policy monitoring can aid in network security investigations.
This document discusses the importance of HTTP headers for security. It provides an overview of common checks in application security scanners and what they often miss - HTTP headers. The rest of the document reviews specific HTTP header attributes like Content Security Policy, XSS Protection, and HSTS and how to configure them to help prevent vulnerabilities. It also demonstrates a Python tool called gethead that can analyze HTTP headers and detect vulnerabilities.
GDPR and EA Commissioning a web site Part 6 of 8Allen Woods
Sixth of eight decks written to provide overview guidance of the way the web works for small to medium sized enterprises who are considering commissioning a web site for the first time. This deck introduces the idea that a web site is "not just for Christmas" and once set live, arguably, the work begins. Search engine optimisation (SEO) and cookie management and some of their associated legal issues are introduced
This document summarizes an OWASP meeting that included discussion of phishing techniques. The meeting started at 7:05PM and included discussion of the Evilginx phishing framework. Evilginx is an open source man-in-the-middle attack framework that can bypass multifactor authentication by capturing session cookies. The document provided details on how Evilginx works, examples of its usage, and information on creating custom phishing templates ("phishlets") for targeting specific websites and applications.
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Canada
- The document discusses security concepts for Cisco Collaboration Elements and Cisco WebExTeams, including managing identity, authentication, authorization, encryption of messages and content, secure search and indexing, compliance, archival, and network security.
- Identity is managed through identity providers, directories, and single sign-on. Messages and content are encrypted using AES256. Searching is done on hashed indexes to protect content. Compliance features include data retention policies, legal holds, and eDiscovery integrations.
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
A brief look at the history of the implementation of secure web headers and an overview of creating and monitoring a content security policy (CSP).
It used to be that browsers were something we fought against to get our sites viewed the way we wanted; now they are our allies.
Far from being dumb proprietary clients that just parse our HTML the way they want, they have evolved into complex software applications.
They provide powerful security controls to make decisions about what to display and debugging tools to enable us to investigate their actions.
It is increasingly common to find malicious exploits targeting web pages within the browser; running crypto-miners, stealing credentials and forging requests.
By implementing a set of headers to be delivered alongside our web pages, we can now work with browsers to protect our site visitors from malicious content
and control what is displayed and included on our pages.
In this session we will touch on what threats face our web pages out in the wild and what measures we can employ to work with browsers to protect them.
We will focus on implementing security headers and building a Content Security Policy, and will cover
- implementation of essential security headers;
- the initial investigation and building of a Content Security Policy (CSP);
- implementation and observation of the CSP in the wild;
- monitoring of the CSP once live;
- evidence of its effectiveness (threats thwarted).
Hopefully attendees will be convinced as to why security headers and CSP are invaluable and why projects should build in time and resources to implement them.
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
The slides from an overview presentation of how the Web, and Web security, have changed in the last few years. This talk has been given at various public and private venues. Get in touch if you want to invite me to your company or tech group!
Your Web Application Is Most Likely InsecureAchievers Tech
This presentation outline the common security risks in web application today. What they are, how to find if your application is at risk and the remedies.
The document discusses cross-site scripting (XSS) vulnerabilities. It defines XSS as allowing malicious scripts to be served to users from a vulnerable website. There are different types of XSS vulnerabilities including those without storage and with storage of malicious scripts on the website. The document provides examples of XSS vulnerabilities and discusses how they can be used to steal user credentials and track users. It also outlines challenges in preventing XSS vulnerabilities.
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
Devouring Security: Insufficient Data Validation Risks - Cross Site Scripting (XSS)
• Risk, Stories & the news
• XSS Anatomy
• Untrusted Data Sources – Well, Where did that come from?
• Shouldn’t it be called CSS instead?
• Types of XSS
- Type 0 [DOM based]
- Type 1 [Reflected or Non-persistent XSS]
- Type 2 [Persistent or Stored XSS]
• Live Demo: XSS 101 with alert('hello XSS world')
• Live Demo: Cookie Hijacking and Privilege Escalation
- Face/Off with John Travolta and Nicolas Cage
• Live Demo: Let’s deploy some Key loggers,huh?
• Mitigations
- Input Sanitization
- Popular Libraries for .Net, Java, php
Demo: Input sanitization
- Whitelists (vs. Blackists)
- Output Encoding
Contextual
Demo: Output Encoding
- Browser Protections & bypasses
- Framework Protections & bypasses
- Content Security Policy (CSP) in brief
• Secure Code reviews: Spot an XSS, How?
• Tools: Do we have an option?
• XSS Buzz and how to Fuzz
• Renowned Cheat sheets
• Further reading & References
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
With new tools like Angular.js and Node.js, it is easier than ever to build User Interfaces and Single-Page Applications (SPAs) backed by APIs.
But how to do it securely? Web browsers are woefully insecure, and hand-rolled APIs are risky.
In this presentation, Robert Damphousse, lead front-end developer at Stormpath, covers web browser security issues, technical best practices and how you can mitigate potential risks. Enjoy!
Topics Covered:
1. Security Concerns for Modern Web Apps
2. Cookies, The Right Way
3. Session ID Problems
4. Token Authentication to the rescue!
5. Angular Examples
This document provides an overview of crafting secure and composable Sitecore SaaS-based applications. It discusses increasing attack surfaces with SaaS and microservices architectures. It then covers security topics like the layered security model, zero trust architecture, securing Docker and Kubernetes, infrastructure as code, automated security testing, and a reference security solution architecture. The presentation emphasizes security by design, automation, and people/process through concepts like DevSecOps. It aims to educate on building security into applications from the start through frameworks, best practices and automation.
Putting firepower into the next generation firewallCisco Canada
The document discusses Cisco's Firepower Next Generation Firewall (NGFW) capabilities. It provides an overview of the Firepower software and NGFW platforms like the ASA 5500-X and Firepower 2100/4100 series. It covers the various management options including the Firepower Device Manager, Firepower Management Center, and ASDM. Integration with Cisco Identity Services Engine and third-party systems is also summarized. Finally, it presents an example use case of deploying Firepower NGFWs at the internet edge and in branch offices.
Blockchain - The Next Big Thing for MiddlewareKai Wähner
Fascinating new technologies are emerging these days. Everybody talks about cloud, containers, big data and machine learning. Another disrupting technology is blockchain. You might have heard about blockchain as the underlying infrastructure of Bitcoin. But Bitcoin is just the tip of the iceberg. This slide deck explains the use cases and technical concepts behind blockchain, gives an overview about available services, and points out why middleware is a key success factor in this space.
Javaone 2016 - Operational Excellence with HystrixBilly Yuen
This document discusses how Intuit implemented Hystrix, a resiliency library created by Netflix, to improve the reliability of Quickbooks Online (QBO). It describes challenges QBO faced with microservices architecture including cascade failures. It provides an overview of how Hystrix helps with circuit breaking, fallback handling, and metrics. The document also shares Intuit's experience applying Hystrix to legacy code, testing for failures, monitoring metrics, and improving the production support process.
world's fastest delivery pipeline for Sitecore on AzureBas Lijten
The document discusses Sitecore deployment pipelines on Azure. It describes how the organization deploys Sitecore websites using web deployment packages, Azure DevOps pipelines, and msdeploy to parameterize configurations. Deployment times have decreased from years ago when using on-premise servers to now deploying on Azure. The pipeline allows deploying a baseline Sitecore configuration and then redeploying just changes through parameterization rather than full database migrations. This enables much faster deployment times.
This document provides information on secure coding practices for data protection. It discusses classifying data based on sensitivity, encrypting data at rest and in transit, implementing HTTPS securely, using certificate pinning and HTTP Strict Transport Security (HSTS). It also covers least privilege principles, avoiding data leakage, enforcing same-origin policy, and managing cross-origin access controls. The document is a training from an IT security consultant on best practices for secure coding.
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
The Notorious 9: Is Your Data Secure in the Cloud?BCS ProSoft
The first part of this presentation is designed to scare the cloud out of you by talking about some of the common and often overlooked concerns with cloud security. Then we'll bring you right back by showing you how cloud technology publishers as well as VARS, like BCS Prosoft are taking steps to mitigate potential threats and keep you business up and running 24/7/365.
This document discusses how network monitoring can be used to detect and manage threats. It describes Cisco's Stealthwatch solution, which leverages NetFlow data to provide network visibility. Stealthwatch collects and analyzes NetFlow records to generate conversational flow records that provide context about network communications. This enriched flow data can be used to identify anomalies, track indicators of compromise, and monitor for potential insider threats or data exfiltration. The document also outlines how Stealthwatch features like host groups, reports, behavioral analysis and policy monitoring can aid in network security investigations.
This document discusses the importance of HTTP headers for security. It provides an overview of common checks in application security scanners and what they often miss - HTTP headers. The rest of the document reviews specific HTTP header attributes like Content Security Policy, XSS Protection, and HSTS and how to configure them to help prevent vulnerabilities. It also demonstrates a Python tool called gethead that can analyze HTTP headers and detect vulnerabilities.
GDPR and EA Commissioning a web site Part 6 of 8Allen Woods
Sixth of eight decks written to provide overview guidance of the way the web works for small to medium sized enterprises who are considering commissioning a web site for the first time. This deck introduces the idea that a web site is "not just for Christmas" and once set live, arguably, the work begins. Search engine optimisation (SEO) and cookie management and some of their associated legal issues are introduced
This document summarizes an OWASP meeting that included discussion of phishing techniques. The meeting started at 7:05PM and included discussion of the Evilginx phishing framework. Evilginx is an open source man-in-the-middle attack framework that can bypass multifactor authentication by capturing session cookies. The document provided details on how Evilginx works, examples of its usage, and information on creating custom phishing templates ("phishlets") for targeting specific websites and applications.
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Canada
- The document discusses security concepts for Cisco Collaboration Elements and Cisco WebExTeams, including managing identity, authentication, authorization, encryption of messages and content, secure search and indexing, compliance, archival, and network security.
- Identity is managed through identity providers, directories, and single sign-on. Messages and content are encrypted using AES256. Searching is done on hashed indexes to protect content. Compliance features include data retention policies, legal holds, and eDiscovery integrations.
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
A brief look at the history of the implementation of secure web headers and an overview of creating and monitoring a content security policy (CSP).
It used to be that browsers were something we fought against to get our sites viewed the way we wanted; now they are our allies.
Far from being dumb proprietary clients that just parse our HTML the way they want, they have evolved into complex software applications.
They provide powerful security controls to make decisions about what to display and debugging tools to enable us to investigate their actions.
It is increasingly common to find malicious exploits targeting web pages within the browser; running crypto-miners, stealing credentials and forging requests.
By implementing a set of headers to be delivered alongside our web pages, we can now work with browsers to protect our site visitors from malicious content
and control what is displayed and included on our pages.
In this session we will touch on what threats face our web pages out in the wild and what measures we can employ to work with browsers to protect them.
We will focus on implementing security headers and building a Content Security Policy, and will cover
- implementation of essential security headers;
- the initial investigation and building of a Content Security Policy (CSP);
- implementation and observation of the CSP in the wild;
- monitoring of the CSP once live;
- evidence of its effectiveness (threats thwarted).
Hopefully attendees will be convinced as to why security headers and CSP are invaluable and why projects should build in time and resources to implement them.
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
The slides from an overview presentation of how the Web, and Web security, have changed in the last few years. This talk has been given at various public and private venues. Get in touch if you want to invite me to your company or tech group!
Your Web Application Is Most Likely InsecureAchievers Tech
This presentation outline the common security risks in web application today. What they are, how to find if your application is at risk and the remedies.
The document discusses cross-site scripting (XSS) vulnerabilities. It defines XSS as allowing malicious scripts to be served to users from a vulnerable website. There are different types of XSS vulnerabilities including those without storage and with storage of malicious scripts on the website. The document provides examples of XSS vulnerabilities and discusses how they can be used to steal user credentials and track users. It also outlines challenges in preventing XSS vulnerabilities.
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
Devouring Security: Insufficient Data Validation Risks - Cross Site Scripting (XSS)
• Risk, Stories & the news
• XSS Anatomy
• Untrusted Data Sources – Well, Where did that come from?
• Shouldn’t it be called CSS instead?
• Types of XSS
- Type 0 [DOM based]
- Type 1 [Reflected or Non-persistent XSS]
- Type 2 [Persistent or Stored XSS]
• Live Demo: XSS 101 with alert('hello XSS world')
• Live Demo: Cookie Hijacking and Privilege Escalation
- Face/Off with John Travolta and Nicolas Cage
• Live Demo: Let’s deploy some Key loggers,huh?
• Mitigations
- Input Sanitization
- Popular Libraries for .Net, Java, php
Demo: Input sanitization
- Whitelists (vs. Blackists)
- Output Encoding
Contextual
Demo: Output Encoding
- Browser Protections & bypasses
- Framework Protections & bypasses
- Content Security Policy (CSP) in brief
• Secure Code reviews: Spot an XSS, How?
• Tools: Do we have an option?
• XSS Buzz and how to Fuzz
• Renowned Cheat sheets
• Further reading & References
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
With new tools like Angular.js and Node.js, it is easier than ever to build User Interfaces and Single-Page Applications (SPAs) backed by APIs.
But how to do it securely? Web browsers are woefully insecure, and hand-rolled APIs are risky.
In this presentation, Robert Damphousse, lead front-end developer at Stormpath, covers web browser security issues, technical best practices and how you can mitigate potential risks. Enjoy!
Topics Covered:
1. Security Concerns for Modern Web Apps
2. Cookies, The Right Way
3. Session ID Problems
4. Token Authentication to the rescue!
5. Angular Examples
This document provides an overview of crafting secure and composable Sitecore SaaS-based applications. It discusses increasing attack surfaces with SaaS and microservices architectures. It then covers security topics like the layered security model, zero trust architecture, securing Docker and Kubernetes, infrastructure as code, automated security testing, and a reference security solution architecture. The presentation emphasizes security by design, automation, and people/process through concepts like DevSecOps. It aims to educate on building security into applications from the start through frameworks, best practices and automation.
Putting firepower into the next generation firewallCisco Canada
The document discusses Cisco's Firepower Next Generation Firewall (NGFW) capabilities. It provides an overview of the Firepower software and NGFW platforms like the ASA 5500-X and Firepower 2100/4100 series. It covers the various management options including the Firepower Device Manager, Firepower Management Center, and ASDM. Integration with Cisco Identity Services Engine and third-party systems is also summarized. Finally, it presents an example use case of deploying Firepower NGFWs at the internet edge and in branch offices.
Blockchain - The Next Big Thing for MiddlewareKai Wähner
Fascinating new technologies are emerging these days. Everybody talks about cloud, containers, big data and machine learning. Another disrupting technology is blockchain. You might have heard about blockchain as the underlying infrastructure of Bitcoin. But Bitcoin is just the tip of the iceberg. This slide deck explains the use cases and technical concepts behind blockchain, gives an overview about available services, and points out why middleware is a key success factor in this space.
Javaone 2016 - Operational Excellence with HystrixBilly Yuen
This document discusses how Intuit implemented Hystrix, a resiliency library created by Netflix, to improve the reliability of Quickbooks Online (QBO). It describes challenges QBO faced with microservices architecture including cascade failures. It provides an overview of how Hystrix helps with circuit breaking, fallback handling, and metrics. The document also shares Intuit's experience applying Hystrix to legacy code, testing for failures, monitoring metrics, and improving the production support process.
world's fastest delivery pipeline for Sitecore on AzureBas Lijten
The document discusses Sitecore deployment pipelines on Azure. It describes how the organization deploys Sitecore websites using web deployment packages, Azure DevOps pipelines, and msdeploy to parameterize configurations. Deployment times have decreased from years ago when using on-premise servers to now deploying on Azure. The pipeline allows deploying a baseline Sitecore configuration and then redeploying just changes through parameterization rather than full database migrations. This enables much faster deployment times.
This document contains information about Bas Lijten, a solution architect who blogs about converting MVC applications to SharePoint apps. It includes his contact information and links to several blog posts about integrating technologies like SignalR and WebAPI into SharePoint 2013 apps. The document promotes cleaner separation of apps, servers, and hosts using OWIN middleware for SharePoint development.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
7. What can you expect?
• No Sitecore vulnerabilities
• Small tips / tricks (references to my and other blogs)
• Explanation with some mitigations
• 3 demo’s
7
16. XSS –CrossSiteScripting
Possibility to inject client-side scripts into webpages
• Reflective
• Persistent
• Leads to other risks, such as Session Hijacking, browser
takeovers
16
Standard not much interaction
When adding customizations, this changes and security bugs might be introduced
Secure development
Sitecore
Largest insurance company of the Netherlands
Top 10 with most critical web application security flaws
Evilcore: with security flaws
Safecore: without
Setup via Pineapple WiFi
HTTPS login with the form being served over HTTP -> not safe
HTTPS:
* Free, SEO, Faster
What happens when a session will be fixated, using the evilcore implementation (I removed the session ID cookie on logout)
The identity doesn’t match the displayed content from the xDB
The Beef framework that exploits XSS vulnerabilities, in this case, I took a picture with the webcam
Standard Sitecore setup
Situation when a custom component has been added
Situation when that component has the same database permissions and resides in the same instance. Things WILL go wrong in case when you are vulnerable to SQL injection