The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Seguridad en microservicios via micro profile jwtCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente se presenta el proyecto Eclipse MicroProfile JWT que provee un API Java Empresarial optimizado para arquitecturas orientadas a Microservicios. Se presentará un caso práctico en el que se desarrollará una aplicación segura con MicroProfile JWT, Apache TomEE y AngularJS. Demostrando de esta forma las capacidades de configuración, CDI, autenticación y autorización avanzadas que ofrece Eclipse MicroProfile JWT. Durante esta sesión los asistentes podrán ver los conceptos básicos de seguridad REST con Oauth 2.0, JWT y Http signatures. El caso práctico será presentado utilizando Eclipse Microprofile sobre una aplicación con un Front-End AngularJS y Java EE en Apache TomEE.
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
2018 colombia deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
2018 SDJUG Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2019 JJUG CCC Stateless Microservice Security with MicroProfile JWTDavid Blevins
In this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Seguridad en microservicios via micro profile jwtCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente se presenta el proyecto Eclipse MicroProfile JWT que provee un API Java Empresarial optimizado para arquitecturas orientadas a Microservicios. Se presentará un caso práctico en el que se desarrollará una aplicación segura con MicroProfile JWT, Apache TomEE y AngularJS. Demostrando de esta forma las capacidades de configuración, CDI, autenticación y autorización avanzadas que ofrece Eclipse MicroProfile JWT. Durante esta sesión los asistentes podrán ver los conceptos básicos de seguridad REST con Oauth 2.0, JWT y Http signatures. El caso práctico será presentado utilizando Eclipse Microprofile sobre una aplicación con un Front-End AngularJS y Java EE en Apache TomEE.
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
2018 colombia deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
2018 SDJUG Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2019 JJUG CCC Stateless Microservice Security with MicroProfile JWTDavid Blevins
In this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architectural impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfileJean-Louis MONTEIRO
Microservices based architecture seems to be the common convergence point in the industry. But when it comes to security we are still struggling to evolve from monolithic systems or people oriented architecture. This presentation will be focusing on this landscape and explain how to leverage the quickly evolving MicroProfile JWT specification to secure Microservices and in a fully stateless and scalable manner. We’ll introduce the specification in a quick and no nonsense fashion and move on to several code examples that show how to setup JWT verification and obtain trusted claims via lookup or dependency injection. For our playground, we’ll be using Apache TomEE, fully open source lightweight Java EE server and MicroProfile implementation.
GnuPG, popularly knowns as gpg is an alternative to PGP module and mainly used for encryption and decryption of keys while sending mail or data.
This presentation shows various useful gpg commands that you can use in day-to-day life.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architectural impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2018 Madrid JUG Deconstructing REST SecurityBruno Baptista
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
In this presentation we explore various side-channel attacks in the Web that can be used to leak information on cross-origin responses. These so-called XS-Leaks issues may allow an adversary to extract sensitive information from an unwitting visitor, ranging from personal information this victim shared with social media networks to CSRF tokens, which may lead to full account takeover.
Finally, we discuss the various defenses that can be used to harden web applications against the different types of attacks.
2017 Devoxx MA Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
Cryptography for Java Developers
Hashes, MAC, Key Derivation, Encrypting Passwords, Symmetric Ciphers & AES, Digital Signatures & ECDSA
About the Speaker
What is Cryptography?
Cryptography in Java – APIs and Libraries
Hashes, MAC Codes and Key Derivation (KDF)
Encrypting Passwords: from Plaintext to Argon2
Symmetric Encryption: AES (KDF + Block Modes + IV + MAC)
Digital Signatures, Elliptic Curves, ECDSA, EdDSA
Live demos and code examples: https://github.com/nakov/Java-Cryptography-Examples
Video (in Bulgarian language): https://youtu.be/ZG3BLXWVwJM
Blog: https://nakov.com/blog/2019/01/26/cryptography-for-java-developers-nakov-at-jprofessionals-jan-2019/
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
Password storage is a common problem that every developer needs to solve at some point in their career. Often, we rely upon frameworks and libraries to do it for us. But do they get it right?
How should passwords be stored? How are they going to be attacked? All these questions (and more) will be answered. This session will dive head first into password storage and all aspects surrounding it. We’ll cover some common misconceptions and dangerous mistakes. We’ll also explore some of the best available tools to solve the problem, and go into why they are the best. Finally, we’ll look at some of the tools that attackers will use to attempt to extract plain text passwords.
We’ll explore each point from both angles: the pragmatic developer and the attacker. For the safety and security of your users, make sure that you know how to securely store their passwords. It’s not just the right thing to do, but it is negligent not to!
jsrsasign is a opensource free pure JavaScript cryptographic library. This slide shows its features such like RSA/ECDSA signing, PKCS#1/8 private/public key, ASN.1, certificate, JWT/JWS/JWK for introduction.
These slides are from a talk that I did at PHP Benelux 2013 ( http://conference.phpbenelux.eu/2013/ ).
In this talk, I go over the progression of password storage techniques, and weaknesses of each method. Eventually, we build up to the final secure implementations, and the current methods used to attack them.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
2018 Denver JUG Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2018 jPrime Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2018 IterateConf Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architectural impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfileJean-Louis MONTEIRO
Microservices based architecture seems to be the common convergence point in the industry. But when it comes to security we are still struggling to evolve from monolithic systems or people oriented architecture. This presentation will be focusing on this landscape and explain how to leverage the quickly evolving MicroProfile JWT specification to secure Microservices and in a fully stateless and scalable manner. We’ll introduce the specification in a quick and no nonsense fashion and move on to several code examples that show how to setup JWT verification and obtain trusted claims via lookup or dependency injection. For our playground, we’ll be using Apache TomEE, fully open source lightweight Java EE server and MicroProfile implementation.
GnuPG, popularly knowns as gpg is an alternative to PGP module and mainly used for encryption and decryption of keys while sending mail or data.
This presentation shows various useful gpg commands that you can use in day-to-day life.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architectural impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2018 Madrid JUG Deconstructing REST SecurityBruno Baptista
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
In this presentation we explore various side-channel attacks in the Web that can be used to leak information on cross-origin responses. These so-called XS-Leaks issues may allow an adversary to extract sensitive information from an unwitting visitor, ranging from personal information this victim shared with social media networks to CSRF tokens, which may lead to full account takeover.
Finally, we discuss the various defenses that can be used to harden web applications against the different types of attacks.
2017 Devoxx MA Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
Cryptography for Java Developers
Hashes, MAC, Key Derivation, Encrypting Passwords, Symmetric Ciphers & AES, Digital Signatures & ECDSA
About the Speaker
What is Cryptography?
Cryptography in Java – APIs and Libraries
Hashes, MAC Codes and Key Derivation (KDF)
Encrypting Passwords: from Plaintext to Argon2
Symmetric Encryption: AES (KDF + Block Modes + IV + MAC)
Digital Signatures, Elliptic Curves, ECDSA, EdDSA
Live demos and code examples: https://github.com/nakov/Java-Cryptography-Examples
Video (in Bulgarian language): https://youtu.be/ZG3BLXWVwJM
Blog: https://nakov.com/blog/2019/01/26/cryptography-for-java-developers-nakov-at-jprofessionals-jan-2019/
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
Password storage is a common problem that every developer needs to solve at some point in their career. Often, we rely upon frameworks and libraries to do it for us. But do they get it right?
How should passwords be stored? How are they going to be attacked? All these questions (and more) will be answered. This session will dive head first into password storage and all aspects surrounding it. We’ll cover some common misconceptions and dangerous mistakes. We’ll also explore some of the best available tools to solve the problem, and go into why they are the best. Finally, we’ll look at some of the tools that attackers will use to attempt to extract plain text passwords.
We’ll explore each point from both angles: the pragmatic developer and the attacker. For the safety and security of your users, make sure that you know how to securely store their passwords. It’s not just the right thing to do, but it is negligent not to!
jsrsasign is a opensource free pure JavaScript cryptographic library. This slide shows its features such like RSA/ECDSA signing, PKCS#1/8 private/public key, ASN.1, certificate, JWT/JWS/JWK for introduction.
These slides are from a talk that I did at PHP Benelux 2013 ( http://conference.phpbenelux.eu/2013/ ).
In this talk, I go over the progression of password storage techniques, and weaknesses of each method. Eventually, we build up to the final secure implementations, and the current methods used to attack them.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
2018 Denver JUG Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2018 jPrime Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2018 IterateConf Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2017 JavaOne Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2018 Boulder JUG Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2019 ITkonekt Stateless REST Security with MicroProfile JWTJean-Louis MONTEIRO
This presentation will be focusing on this landscape and explain how to leverage the quickly evolving MicroProfile JWT specification to secure Microservices and in a fully stateless and scalable manner. We’ll introduce the specification in a quick fashion and move on to code examples that show how to setup JWT verification and obtain trusted claims via lookup or dependency injection.
2017 dev nexus_deconstructing_rest_securityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
Microservice architectures bring many benefits to software applications. But at the same time, new challenges of distributed systems have also been introduced. One of these challenges is how to implement a flexible, secure and efficient authentication and authorization scheme in such architectures.
The common solution for this is to use stateless token-based authentication and authorization by adopting standard protocols like OAuth 2.0 and OpenID Connect (OIDC).
In this talk, you will get a concise introduction into OAuth 2.0 and OIDC.
We will look at OAuth 2.0 and OIDC grant flows and discuss the differences between OAuth 2.0 and OpenID Connect. Finally, you will be introduced to the current best practices currently evolved by the working group.
So If you finally want to understand the base concepts of OAuth 2.0 and OIDC in a short time then this is the talk you should go for.
OAuth 2.0 es un protocolo abierto que nos brinda autorización y delegación para nuestras APIs HTTP. En esta sesión daremos un repaso al estado del arte de la seguridad en las APIs HTTP. A continuación pasaremos a entender que es este protocolo y como funciona. Daremos un repaso a todos sus flujos: Authorization Code, Implicit, Client Credentials, ROPC, PKCE… y veremos ejemplos en directo para acabar de tener un imagen completa de todo lo que nos ofrece y que nos servirá para cuando empecemos a trabajar con servidores de identidad OIDC.
A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.
Sesión del Global Azure Bootcamp 2017. Azure Key Vault nos permite asegurar los servicios alojados, las claves y contraseñas en un almacenamiento especial y protegido. En esta sesión exploraremos las capacidades de Azure Key Vault y veremos como es necesario su uso en la Star Trek para garantizar la seguridad.
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...Nat Sakimura
OAuth 2.0 Authorization Framework, while achieved an extremely large adoption, has been exposed to various attacks and a num- ber of additional specifications to patch the problem has been created. It is expected that other attacks would come in the future requiring yet another patch specification. To avoid such future problems, a more systematic approach is needed.
This paper attempts to do it by applying BCM principles on OAuth (RFC6749). It demonstrates that additional parameters in all four messages are needed as well as the integrity protection of both authorization request and response.
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)Guy Podjarny
When users use our sites, they put their faith in us. They trust we will keep their information from reaching others, believe we provided the information they see, and allow us to run (web) code on their devices. Using HTTPS to secure our conversations is a key part of maintaining this trust.
If that’s not motivation enough, the web’s giants are actively promoting HTTPS, requiring it for features such as HTTP2 & ServiceWorker, using it for search engine ranking and more. To make the most of the web, you need to use HTTPS.
This deck reviews what HTTPS is, discusses why you should prioritize using it, and cover some of the easiest (and most cost effective) steps to get started using HTTPS
Strong Authentication in Web Application #SCS IIISylvain Maret
Swiss Cyber Storm 3 Security Conference / OWASP Track
Strong Authentication: State of the Art 2011
Risk Based Authentication
Biometry - Match on Card
OTP for Smartphones
OTP SMS
PKI
SuisseID
Mobile-OTP
OATH (HOTP, TOTP, OCRA)
Open Source approach
How to integrate Strong Authentication in Web Application?
OpenID, SAML, Identity Federation for Strong Authentication
API, SDK, Agents, Web Services, Modules
PAM, Radius, JAAS
Reverse Proxy (WAF) and WebSSO
PKI / SSL client authentication
PHP example with Multi-OTP PHP class
AppSec (Threat Modeling - OWASP)
Similar to Stateless Microservice Security via JWT and MicroProfile - Guatemala (20)
Non-relational databases have come with the promise of assisting software in the Big Data age, handling the challenges of variety, velocity, and volume that come with it.
However, several points plague even the most experienced software architects: How do I migrate my data to NoSQL and which one? Where are the relationships? Should I use some ORM? The purpose of this talk is to answer all of these questions and provide some essential tips so that your NoSQL experience is not a disaster.
Modern Cloud-Native Jakarta EE Frameworks: tips, challenges, and trends.Otávio Santana
Java has a large number of tools and frameworks to facilitate integration with databases, microservices, and so on. These tools have evolved considerably. It all started with class integrated with XML files and has undergone significant evolution with reflections and annotations within the class definitions. In the cloud-native scenario, requirements have changed and this impacts applications in ways that weren't critical before. For example, cold starts and boot time wasn't critical with application servers but is crucial in serverless and microservices. The objective of this presentation is to talk about how these frameworks behave in the native cloud age and they affect Jakarta EE.
Architecting Cloud Computing Solutions with Java [1.1]Otávio Santana
Cloud-Native has become a big buzzword around the world, a term that is practically used by everyone at all times. But what does it mean? What are the advantages it brings to your application and your day as a software developer or architect? What's new in the Java world, and what are the steps to follow for a native cloud application? This presentation is a step-by-step guide that will practically guide you through implementing Cloud computing services effectively and efficiently.
Arquitetando soluções de computação em nuvem com JavaOtávio Santana
O Cloud Native se tornou uma grande palavra de ordem em todo o mundo, um termo que é praticamente usado por todos em todos os momentos. Mas o que isso significa? Quais são as vantagens que ele traz ao seu aplicativo e ao seu dia como desenvolvedor ou arquiteto de software? O que há de novo no mundo Java e quais são as etapas a seguir para um aplicativo em nuvem nativo? Esta apresentação é um guia passo a passo que praticamente o guiará na implementação de serviços de computação em nuvem de maneira eficaz e eficiente.
Build, run, and scale your Java applications end to endOtávio Santana
This presentation will talk about a solution to the continuous deployment cloud hosting solution that can scale applications from the smallest projects to those handling millions of visitors. It is ideal for agile software teams because of its unique feature: it can replicate a live production cluster in seconds and create byte-level clones of throwaway dev and staging environments, which makes testing and validation 90% faster.
ORMs: Heroes or Villains Inside the Architecture?Otávio Santana
In the information age, with new technologies, frameworks, and programming languages, there is an aspect of technology that never changes. All applications need a storage integration related to their system; either SQL or NoSQL, to point out that there is a different paradigm among the development team and the database team. To make developer life easier, new frameworks emerged that convert between the application layer and the database, which includes the famous ORM. Indeed, contemporary challenges appear such as how to handle different paradigms that are in software development and how to make a regular development without impacting on the database.
Let’s be honest: the amount of data collected by applications nowadays is growing at a scary pace. Many of them need to handle billions of users generating and consuming data at an incredible speed. Maybe you are wondering how to create an application like this? What is needed? What benefits can you take from this reality to your project? This session shows how Jakarta EE can meet these needs when you’re working with NoSQL databases in the cloud. It’s the same approach used by some of the biggest companies in the world to store, analyze, and get results from really crazy amounts of data. No matter your project size, you can take it to the next level today.
Jakarta EE Meets NoSQL in the Cloud Age [DEV6109]Otávio Santana
Let’s be honest: the amount of data collected by applications nowadays is growing at a scary pace. Many of them need to handle billions of users generating and consuming data at an incredible speed. Maybe you are wondering how to create an application like this? What is needed? What benefits can you take from this reality to your project? This session shows how Jakarta EE can meet these needs when you’re working with NoSQL databases in the cloud. It's the same approach used by some of the biggest companies in the world to store, analyze, and get results from really crazy amounts of data. No matter your project size, you can take it to the next level today.
Let’s Make Graph Databases Fun Again with Java [DEV6043]Otávio Santana
It’s a fact: today NoSQL databases are very popular in several areas of the software industry. They have many different uses cases, including graphs. The graph database has a structure that’s pretty different from relational technology and has a lot of successful use cases such as recommendation systems on Facebook and LinkedIn. This session covers what a graph database is and how to use it with Java. With a useful and practical live demo of career recommendation with Neo4J, you will learn how easy it could be to build your next successful application. Today!
Eclipse JNoSQL: One API to Many NoSQL Databases - BYOL [HOL5998]Otávio Santana
Eclipse JNoSQL is a Java framework that streamlines the integration of Java applications with NoSQL databases. It defines a set of APIs and provides a standard implementation for most NoSQL databases. This clearly helps achieve very low coupling with the underlying NoSQL technologies used in applications. The objective of this session is to show how to use the Eclipse JNoSQL framework to connect with a NoSQL database and perform operations to manipulate and extract information.
Stateless Microservice Security via JWT and MicroProfile - MexicoOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Eclipse JNoSQL: The Definitive Solution for Java and NoSQL DatabaseOtávio Santana
JNoSQL is a framework and collection of tools that make integration between Java applications and NoSQL quick and easy—for developers as well as vendors. The API is easy to implement, so NoSQL vendors can quickly implement, test, and become compliant by themselves. And with its low learning curve and just a minimal set of artifacts, Java developers can start coding by worrying not about the complexity of specific NoSQL databases but only their core aspects (such as graph or document properties). Built with functional programming in mind, it leverages all the features of Java 8. This session covers how the API is structured, how it relates to the multiple NoSQL database types, and how you can get started and involved in this open source technology.
Polyglot Persistence is a fancy term to mean that when storing data, it is best to use multiple data storage technologies, chosen based upon the way data is being used by individual applications or components of a single application
Building a Recommendation Engine with Java EEOtávio Santana
Recommender systems have become increasingly popular in recent years and are utilized in a variety of areas, including movies, music, news, books, research articles, search queries, marketplaces, social tags, and products in general. A platform with a recommender system—such as NetFlix, with movies; dating systems, with relationships; and Amazon, with books—makes the user experience exceptional. This presentation covers how to create a recommendation engine with Java EE to rocket your business.
The Apache Cassandra database is the right choice when you need scalability and high availability without compromising performance. Linear scalability and proven fault-tolerance on commodity hardware or cloud infrastructure make it the perfect platform for mission-critical data.Cassandra's support for replicating across multiple datacenters is best-in-class, providing lower latency for your users and the peace of mind of knowing that you can survive regional outages
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
4. #RESTSecurity @otaviojava @tomitribe
ODCTour18LAD
“Lo mejor de los standares es que terminas
teniendo muchas opciones por escogerThe nice
thing about standards is
you have so many to choose from.”
- Andrew S. Tanenbaum
48. #RESTSecurity @otaviojava @tomitribe
ODCTour18LAD Nuevo Access Token
∙ header (JSON > Base64 URL Encoded)
∙ Describe como la firma (signature) del token puede ser
verificada
∙ payload (JSON > Base64 URL Encoded)
∙ Json map de información que desees incluir
∙ Campo estándar como el de Expiración
∙ signature (Binary > Base64 URL Encoded)
∙ La firma digital
∙ Hecha exclusivamente por el endpoint: /oauth2/token
∙ Si es RSA puede ser verificado por cualquier persona
76. #RESTSecurity @otaviojava @tomitribe
ODCTour18LAD
MicroProfile
∙ Comunidad Open-Source de la fundación Eclipse
∙ Enfocada en Microservicios bajo JavaEE
∙ Generadora de: Specificaciones, API y TCK.
∙ Implementado por diferentes entidades
http://microprofile.io/