Every microservice in production must be secured. In order to ensure this, there is a significant additional effort compared to a monolithic system due to the high number of services. If the operation then still takes place in a public cloud, neither the communication within the infrastructure of the cloud provider nor the connection via the Internet may be unencrypted. In addition, corresponding authorization checks must take place in each individual service.
This session shows how easy and effortless it is to implement security measures with a service mesh tool like Istio. With a few small Istio rules, all communication in the service mesh is secured with mutual TLS (mTLS). Basic checks of service-to-service communication and end-user authorization using JWT can also be delegated to Istio. The extended authorization checks within a Java service are illustrated using the MicroProfile specifications.
Short Presentation (2 Hrs) on SSL and TLS Protocol and its reference standard. Good for intermediate participant or technical who want to understand secure protocol an
Review of the WPA2 Krack Attack. The full research paper that the presentation is based on can be downloaded from here: https://www.krackattacks.com/. You can find my podcast on the iTunes Store CYSReport https://cysreport.com, and my blog is https://debinfosec.com.
This presentation covers common cryptographic attacks, secure cryptographic implementation requirements, an overview of FIPS 140-2 and secure crypto implementation guidelines
Last mile authentication problem: Exploiting the missing link in end-to-end s...Priyanka Aash
"With ""Trust none over the Internet"" mindset, securing all communication between a client and a server with protocols such as TLS has become a common practice. However, while the communication over Internet is routinely secured, there is still an area where such security awareness is not seen: inside individual computers, where adversaries are often not expected.
This talk discusses the security of various inter-process communication (IPC) mechanisms that local processes and applications use to interact with each other. In particular, we show IPC-related vulnerabilities that allow a non-privileged process to steal passwords stored in popular password managers and even second factors from hardware tokens. With passwords being the primary way of authentication, the insecurity of this ""last mile"" causes the security of the rest of the communication strands to be obsolete. The vulnerabilities that we demonstrate can be exploited on multi-user computers that may have processes of multiple users running at the same time. The attacker is a non-privileged user trying to steal sensitive information from other users. Such computers can be found in enterprises with centralized access control that gives multiple users access to the same host. Computers with guest accounts and shared computers at home are similarly vulnerable."
Short Presentation (2 Hrs) on SSL and TLS Protocol and its reference standard. Good for intermediate participant or technical who want to understand secure protocol an
Review of the WPA2 Krack Attack. The full research paper that the presentation is based on can be downloaded from here: https://www.krackattacks.com/. You can find my podcast on the iTunes Store CYSReport https://cysreport.com, and my blog is https://debinfosec.com.
This presentation covers common cryptographic attacks, secure cryptographic implementation requirements, an overview of FIPS 140-2 and secure crypto implementation guidelines
Last mile authentication problem: Exploiting the missing link in end-to-end s...Priyanka Aash
"With ""Trust none over the Internet"" mindset, securing all communication between a client and a server with protocols such as TLS has become a common practice. However, while the communication over Internet is routinely secured, there is still an area where such security awareness is not seen: inside individual computers, where adversaries are often not expected.
This talk discusses the security of various inter-process communication (IPC) mechanisms that local processes and applications use to interact with each other. In particular, we show IPC-related vulnerabilities that allow a non-privileged process to steal passwords stored in popular password managers and even second factors from hardware tokens. With passwords being the primary way of authentication, the insecurity of this ""last mile"" causes the security of the rest of the communication strands to be obsolete. The vulnerabilities that we demonstrate can be exploited on multi-user computers that may have processes of multiple users running at the same time. The attacker is a non-privileged user trying to steal sensitive information from other users. Such computers can be found in enterprises with centralized access control that gives multiple users access to the same host. Computers with guest accounts and shared computers at home are similarly vulnerable."
in I.T field we need secure data communication and one of the most worldwide utility is OpenSSL . In our slide you will find basic introduction of OpenSSL and how to use it with black track for local communication data encryption.
One obvious side effect of migrating to a microservices architecture is the need for infrastructure automation. Unfortunately, most automation systems do not take security into consideration, making production deployments orders of magnitude more complex than the initial testbed deployment.
The perfect example of this steep increase in deployment difficulty is the creation and management of Public-Key-Infrastructures (PKI). Even though the use of TLS Certificates for service to service communication is known as a best-practice, very few companies actually deploy their systems using mutually-authenticated TLS connections.
In this talk I will go over why TLS is the right solution for service to service communication, describe ways to automate the creation and management of your PKI, and present in detail how Docker's swarm orchestration system bootstraps and manages individual node certificates.
The wolfSSL lightweight SSL/TLS library now includes TLS 1.3 support. This slide deck, from a seminar given in Tokyo, Japan, covers the differences in TLS 1.3 and what wolfSSL currently supports.
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...Teleport
Teleport allows you to implement industry-best practices for SSH and Kubernetes access, meet compliance requirements, and have complete visibility into access and behavior. But invariably, change happens. Teleport allows users to request elevated privileges in the middle of their command-line sessions and create fully auditable dynamic authorizations . These requests can be approved or denied via ChatOps in Slack, in PagerDuty, or anywhere else via a flexible Authorization Workflow API.
-The Slack integration allows users to access role permission requests through Slack messages and approve from within the app.
-The PagerDuty integration allows Teleport permission requests to function as PagerDuty incidents. They can be approved or denied through a PagerDuty special action.
Link to video:
https://youtu.be/onyoT8BCSe0
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
We've all used SSH dozens of times, but do we really understand how to SSH properly? Using such a powerful tool can come with a lot of risks, especially when we're on highly distributed teams with well-trodden workflows that can be tough to change. In an era of sophisticated phishing attacks and threats always knocking at our doors, we could all use a little help with making sure our infrastructure is as secure as it can be.
Join Gus Luxton from Gravitational as he talks about how you too can level up your SSH game - switch from keys to certificates, funnel your access through a bastion server, set up 2-factor authentication and cross-reference your users with an external identity provider. For reference, check out Gus’ blog on the topic, How to SSH Properly.
This presentation covers the current status of TLS 1.3 in the wolfSSL embedded TLS library (as of the time it was presented). It talks about the Draft status of TLS 1.3, middlebox compatibility, extensions, RSA-PSS negotiation and the specification's progress in the TLSWG (TLS Working Group).
www.wolfssl.com
www.wolfssl.com/tls13
It is an IETF standardization initiative whose goal is to come out with an Internet standard Version of SSL. The presentation discusses all. Happy Learning. :)
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFGokul Alex
DEFCON is is one of the world's largest and most notable hacker conventions in the world. It an esoteric experience of an elusive kind. It is a daring dream to destroy the dystopian darkness of super surveillance states. Here we are presenting our passion for Blockchain Security in DEFCON 28, based on the theme - 'Preventing DDoS Attacks on Ethereum 2.0 using Verifiable Delay Function Powered Authentication Architectures'. When we teamed up together a month ago, we never ever imagined that we will march into the league of extraordinary hackers to present our beloved blockchain security models in-front of the pioneers and paragons in the security space. We are grateful to all our well wishers in Governments, Private Sector, Academic Institutions, Think Tanks, Research Organisations across the world who has inspired us to deep dive on the creative convergence of cryptography and consensus algorithms to weave this world together. Our session is part of the Block Village stream in the DEFCON 28. Please find further details of the event in the Block Village portal. https://www.blockchainvillage.net/schedule2020
#defcon2020 #defcon28 #cybersecurity #ethereum #blockvillage #blockchainsecurity #blockchainaudit
in I.T field we need secure data communication and one of the most worldwide utility is OpenSSL . In our slide you will find basic introduction of OpenSSL and how to use it with black track for local communication data encryption.
One obvious side effect of migrating to a microservices architecture is the need for infrastructure automation. Unfortunately, most automation systems do not take security into consideration, making production deployments orders of magnitude more complex than the initial testbed deployment.
The perfect example of this steep increase in deployment difficulty is the creation and management of Public-Key-Infrastructures (PKI). Even though the use of TLS Certificates for service to service communication is known as a best-practice, very few companies actually deploy their systems using mutually-authenticated TLS connections.
In this talk I will go over why TLS is the right solution for service to service communication, describe ways to automate the creation and management of your PKI, and present in detail how Docker's swarm orchestration system bootstraps and manages individual node certificates.
The wolfSSL lightweight SSL/TLS library now includes TLS 1.3 support. This slide deck, from a seminar given in Tokyo, Japan, covers the differences in TLS 1.3 and what wolfSSL currently supports.
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...Teleport
Teleport allows you to implement industry-best practices for SSH and Kubernetes access, meet compliance requirements, and have complete visibility into access and behavior. But invariably, change happens. Teleport allows users to request elevated privileges in the middle of their command-line sessions and create fully auditable dynamic authorizations . These requests can be approved or denied via ChatOps in Slack, in PagerDuty, or anywhere else via a flexible Authorization Workflow API.
-The Slack integration allows users to access role permission requests through Slack messages and approve from within the app.
-The PagerDuty integration allows Teleport permission requests to function as PagerDuty incidents. They can be approved or denied through a PagerDuty special action.
Link to video:
https://youtu.be/onyoT8BCSe0
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
We've all used SSH dozens of times, but do we really understand how to SSH properly? Using such a powerful tool can come with a lot of risks, especially when we're on highly distributed teams with well-trodden workflows that can be tough to change. In an era of sophisticated phishing attacks and threats always knocking at our doors, we could all use a little help with making sure our infrastructure is as secure as it can be.
Join Gus Luxton from Gravitational as he talks about how you too can level up your SSH game - switch from keys to certificates, funnel your access through a bastion server, set up 2-factor authentication and cross-reference your users with an external identity provider. For reference, check out Gus’ blog on the topic, How to SSH Properly.
This presentation covers the current status of TLS 1.3 in the wolfSSL embedded TLS library (as of the time it was presented). It talks about the Draft status of TLS 1.3, middlebox compatibility, extensions, RSA-PSS negotiation and the specification's progress in the TLSWG (TLS Working Group).
www.wolfssl.com
www.wolfssl.com/tls13
It is an IETF standardization initiative whose goal is to come out with an Internet standard Version of SSL. The presentation discusses all. Happy Learning. :)
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFGokul Alex
DEFCON is is one of the world's largest and most notable hacker conventions in the world. It an esoteric experience of an elusive kind. It is a daring dream to destroy the dystopian darkness of super surveillance states. Here we are presenting our passion for Blockchain Security in DEFCON 28, based on the theme - 'Preventing DDoS Attacks on Ethereum 2.0 using Verifiable Delay Function Powered Authentication Architectures'. When we teamed up together a month ago, we never ever imagined that we will march into the league of extraordinary hackers to present our beloved blockchain security models in-front of the pioneers and paragons in the security space. We are grateful to all our well wishers in Governments, Private Sector, Academic Institutions, Think Tanks, Research Organisations across the world who has inspired us to deep dive on the creative convergence of cryptography and consensus algorithms to weave this world together. Our session is part of the Block Village stream in the DEFCON 28. Please find further details of the event in the Block Village portal. https://www.blockchainvillage.net/schedule2020
#defcon2020 #defcon28 #cybersecurity #ethereum #blockvillage #blockchainsecurity #blockchainaudit
Secure Application Development in the Age of Continuous DeliveryTim Mackey
As delivered at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
The cloud is rapidly becoming the de-facto standard for deploying enterprise applications. Microservices are at the core of building cloud-native applications due to its proven advantages such as granularity, cloud-native deployment, and scalability. With the exponential growth of the consumer base of these service offerings, enforcing microservice/API security has become one of the biggest challenges to overcome.
In this deck, we discuss:
- The need for API/Microservices Security
- The importance of delegating security enforcement to an API Gateway
- API Authentication and Authorization methodologies
- OAuth2 - The de-facto standard of API Authentication
- Protection against cyber attacks and anomalies
- Security aspects to consider when designing Single Page Applications (SPAs)
Watch the webinar on-demand here - https://wso2.com/library/webinars/2019/11/api-security-in-a-cloud-native-era/
System hacking is the way hackers get access to individual computers on a network. ... This course explains the main methods of system hacking—password cracking, privilege escalation, spyware installation, and keylogging—and the countermeasures IT security professionals can take to fight these attacks.
ZKorum: Building the Next Generation eAgora powered by SSISSIMeetup
The immense potential unlocked by SSI in content-centric social networks (forums) is largely unaddressed by the recent wave of decentralized social networks. Enter ZKorum - a network of verifiable communities where members create anonymous polls and discussions. In this episode, Nicolas Gimenez, the Co-Founder and CTO of ZKorum, unveils the Alpha version and delves into its architecture, drawing inspiration from SSI, DWeb, and Password Managers.
Strong Authentication in Web Application #SCS IIISylvain Maret
Swiss Cyber Storm 3 Security Conference / OWASP Track
Strong Authentication: State of the Art 2011
Risk Based Authentication
Biometry - Match on Card
OTP for Smartphones
OTP SMS
PKI
SuisseID
Mobile-OTP
OATH (HOTP, TOTP, OCRA)
Open Source approach
How to integrate Strong Authentication in Web Application?
OpenID, SAML, Identity Federation for Strong Authentication
API, SDK, Agents, Web Services, Modules
PAM, Radius, JAAS
Reverse Proxy (WAF) and WebSSO
PKI / SSL client authentication
PHP example with Multi-OTP PHP class
AppSec (Threat Modeling - OWASP)
Hop by-hop authentication and source privacy in wireless sensor networksLeMeniz Infotech
Hop by-hop authentication and source privacy in wireless sensor networks
Message authentication is one of the most effective ways to thwart unauthorized and corrupted messages from being forwarded in wireless sensor networks (WSNs). For this reason, many message authentication schemes have been developed, based on either symmetric-key cryptosystems or public-key cryptosystems.
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
Service Specific AuthZ In The Cloud InfrastructureMichael Hofmann
Eine produktiv betriebene Anwendung kommt in der Regel nicht ohne Authorization-Checks aus. Entsprechend dem OWASP-Prinzip “Defense in Depth” sollten die AuthZ-Prüfungen nicht nur im Anwendungscode erfolgen. Eine zusätzliche Ebene für die Berechtigungsprüfung, am besten in der Cloud-Infrastruktur, gilt als Best Practice. Mit einem Service-Mesh-Tool können anwendungsspezifische deklarative Authz-Prüfungen im Sidecar durchgeführt werden. Die Möglichkeiten, die Istio hier bietet, werden in dieser Session genauer betrachtet. Aber auch TLS/mTLS und Authentication, als notwendige Voraussetzungen für AuthZ, werden ausführlich vorgestellt.
New Ways To Production - Stress-Free Evolution Of Your Cloud ApplicationsMichael Hofmann
Neue Versionen der eigenen Cloud-Anwendungen geordnet, stabil und somit ohne Stress und risikofrei in die Produktionsumgebung zu deployen, sollte das Ziel eines jeden Entwicklerteams sein. Erfolgt das zusammen mit den passenden Teststrategien, ohne Downtime und voll automatisiert, ist die Basis für hochfrequente Releasewechsel geschaffen. Ein Service-Mesh-Tool wie beispielsweise Istio bietet für verschiedene Deployment-Strategien – Canary, A/B Testing (HTTP Headers Routing), Blue/Green (Traffic Mirroring) – die notwendige Unterstützung. Kombiniert man das mit einem progressive Delivery Operator wie Flagger, wird die Automatisierung noch weiter gesteigert. Hotfixes und hektische Release-Rollbacks gehören damit der Vergangenheit an. In dieser Session werden die unterschiedlichen Release- und Teststrategien genauer vorgestellt. Darüber hinaus wird gezeigt, wie die Integration von Istio und Flagger erfolgen kann und welche Benefits sich daraus ergeben.
Developer Experience Cloud Native - Become Efficient and Achieve ParityMichael Hofmann
Zu einer effizienten Cloud-Entwicklung gehört nicht nur ein schnelles Deployment der Services in die Cloud. Auch ein reibungsloses Entwickeln und Debuggen der Services direkt in der Cloud steigert die Effizienz. Darüber hinaus sollte die Entwicklungsumgebung möglichst identisch mit der Produktionsumgebung sein. Diesen Umstand empfiehlt schon seit langem die 12-Factor-App-Auflistung in Punkt 10: "Dev/prod parity".
In dieser Session wird eine Auswahl an Open-Source-Tools vorgestellt, die einem Java-Entwickler bei der Erreichung folgender Ziele behilflich sind: schnelles und synchrones Deployment (Skaffold), Entwicklung und Debugging im Kubernetes Pod (OpenLiberty mit Ksync, Quarkus Live Coding), Erweiterung des Kubernetes Perimeter für eine lokale Entwicklung (telepresence oder Bridge to Kubernetes). Die einfache Handhabung dieser Tools verdeutlichen die zugehörigen Demos in dieser Session.
Service Mesh vs. Frameworks: Where to put the resilience?Michael Hofmann
Distributed systems should definitely no longer be developed and operated without resilience. The responsible developer or architect must first consider which resilience patterns are necessary. The next question is how the implementation of these patterns in the individual services should take place. One can distinguish between two basic alternatives. On the one hand an implementation with the classic resilience frameworks such as Resilience4J, Failsafe or MicroProfile Fault Tolerance. On the other hand, it is also possible to establish resilience with a service mesh tool like Istio.
In this session, after a brief introduction to Istio, the two basic alternatives are compared. The respective advantages and disadvantages are listed and compared in a final evaluation. Additional possibilities of Istio to explicitly test resilience will also be introduced.
Service Mesh vs. Frameworks: Where to put the resilience?Michael Hofmann
Verteilte System sollten heute definitiv nicht mehr ohne Resilienz entwickelt und betrieben werden. Der zuständige Entwickler oder Architekt muss sich zuerst überlegen, welche Resilienzpatterns notwendig sind. Im Anschluss daran stellt sich die Frage, wie die Umsetzung dieser Patterns in den einzelnen Services erfolgen soll. Dabei kann zwischen zwei grundsätzlichen Alternativen unterschieden werden. Zum einen gibt es die Implementierung mit den klassischen Resilienz-Frameworks, wie beispielsweise Resilience4j, Failsafe oder MicroProfile Fault Tolerance. Andererseits ist es mittlerweile auch möglich, Resilienz mit Hilfe eines Service-Mesh-Werkzeugs, wie zum Beispiel Istio, zu etablieren. In dieser Session werden nach einer kurzen Einführung zu Istio die beiden grundsätzlichen Alternativen verglichen. Die jeweiligen Vor- und Nachteile werden aufgeführt und in einer abschließenden Bewertung gegenübergestellt. Darüber hinaus wird noch gezeigt, welche Möglichkeiten Istio für den Test der Resilienz bietet.
Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...Michael Hofmann
Developing cloud native applications bring in a lot of complexities for developers. Without using tools to compensate these complexities, you will not become very efficient. Additional, cloud developers often suffer a rising frustration, by fighting these problems.
Before I push my code into Git, I want to test different things in my cloud environment. Therefore it is essential to have a fast and easy round trip. A classic round trip starts by writing or generating code, create a Docker image, deploy it into Kubernetes and test or remote debug the application in Docker or in Kubernetes. Without some elementary tools, this round trip will not be very fast or simple and therefore error prone.
This Lab will show you some open source tools, making your live as a developer more easy. Short demos will demonstrate the simple handling of these tools. Starting point is the generation of a MicroProfile and a SpringBoot application. By using the different tools (e.g. Helm, Shell completion, kubectl cp, Ksync, Stern, Kubefwd, Telepresence, …) on these applications, the complete round trip will be shown. Most of these tools can also be used with other programming languages. Every tool works on its own which makes it easy to switch between these tools.
Finally you will get an evaluation of these tools and I will show you an outlook on tools which are more focused on larger developer teams.
Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...Michael Hofmann
Die Migration von monolithischen Anwendungen hin zu einer service-basierenden Applikationslandschaft bringt nicht nur Vorteile mit sich. Neben dem notwendigen Einsatz neuer System-Komponenten, wie zum Beispiel OpenID Connect oder Cloud-Technologien wie Openshift gibt es noch andere Herausforderungen, die gemeistert werden müssen. Durch die Zerlegung des Monolithen in Microservices und der dabei entstehenden Kommunikations-Beziehungen zwischen diesen Services bildet sich ein sog. Service Mesh. Je nach Anzahl der Services und Kommunikations-Pfade entsteht dabei sehr schnell ein komplexes Geflecht das beherrscht werden muss. Istio ist eines der Werkzeuge das für den Betrieb und das Verwalten des Service Mesh eine große Hilfe sein kann.
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?Michael Hofmann
Die Entwicklung einer Cloud-native-Anwendung ist nur eine Seite der Medaille, die andere Seite ist die Cloud-Umgebung, in der die Anwendung betrieben werden soll. Als Architekt muss man Entscheidungen treffen, die auch von der Laufzeitumgebung abhängig sind. Einige Aspekte, wie zum Beispiel Konfiguration, Resilienz, Health Checks, Metriken, Request Tracing und Service Discovery besitzen eine starke Kopplung mit der Cloud-Umgebung.
Istio, das als offene Plattform auf beispielsweise Kubernetes betrieben werden kann, bietet diese Funktionalitäten. Auf der anderen Seite besitzt MicroProfile auch eine Menge von Spezifikationen, die bei der Implementierung der Cloud-native-Anwendung hilfreich sein können. Die Session startet mit einer kurzen Einführung in Istio und MicroProfile und zeigt im Anschluss, wie diese beiden Welten in einer Cloud-native-Anwendung am besten miteinander kombiniert werden können.
Service Mesh - kilometer 30 in a microservice marathonMichael Hofmann
Distributed applications like microservices shift some of their complexities into the interaction of services. Such a service mesh, which can have hundreds of runtime instances, is very difficult to manage. You will be concerned with some of the following questions: Which service will be requested by which other services in which version and how often depending on the request content? How can you test the interaction and how can you replace single services with new ones?
These and other questions will be discussed in this session. Tools to make your live easier with a service mesh will also be introduced.
Service Mesh - Kilometer 30 im Microservices-MarathonMichael Hofmann
Verteile Anwendungen wie Microservices verlagern einen Teil der Komplexität in das Zusammenspiel der Services untereinander. Ein solches Service Mesh, das bis zu dreistellige (oder mehr) Laufzeitinstanzen haben kann, wird sehr schwierig zu beherrschen. Man muss sich mit Fragen auseinander setzen wie zum Beispiel: Welcher Service wird von welchem Service in welcher Version bei welchem Request-Inhalt wie oft aufgerufen? Wie kann man das Zusammenspiel testen und wie werden einzelne Services durch neue ersetzt?
Diese und andere Fragestellungen werden in der Session beleuchtet. Dabei werden auch Werkzeuge vorgestellt, die das Leben mit dem Service Mesh vereinfachen sollen.
API-Economy bei Financial Services – Kein Stein bleibt auf dem anderenMichael Hofmann
Im Zuge der voranschreitenden Digitalisierung werden Projekte im Umfeld der API-Economy immer wichtiger. Die Umsetzung solcher Projekte hat in der Regel enorme Auswirkungen auf das gesamte Unternehmen. Vor allem vor dem Hintergrund, dass es im Grunde in jedem Unternehmen sog. Legacy-Systeme gibt, die integriert werden müssen, denn kaum ein Unternehmen im Bereich der Financial Services hat den Vorteil, auf der grünen Wiese starten zu können.
Durch den Schwenk von Legacy-Systemen, die eher monolithisch aufgebaut sind, hin zu Microservices kommen weitere Herausforderungen auf die Projekte zu. Die weitreichenden Auswirkungen erstrecken sich von technischen Herausforderungen verbunden mit der Neuausrichtungen der Softwarearchitektur bis hin zu Konsequenzen bzgl. Betriebsführung und organisatorischen Veränderungen. Im Grunde bleibt hier im Unternehmen kein Stein auf dem anderen.
Wir wollen in dieser Session zeigen, welche Fragestellungen exemplarisch auftreten können und welche Lösungsalternativen diskutiert werden müssen. Dabei werden wir auf die organisatorischen und die technischen Problemfelder in Verbindung mit der veränderten Softwarearchitektur genauer eingehen. Am Ende der Session sollten die Teilnehmer ein Gespür dafür bekommen, wo die Herausforderungen bei solchen Projekten liegen.
MicroProfile ist eine Vereinigung aus namhaften Open-Source-Projekten und Herstellern, die sich das Ziel gesetzt haben, Enterprise Java für Cloud Native und Microservice Architekturen zu optimieren. Dabei soll die Portierbarkeit der Anwendungen innerhalb der verschiedenen MicroProfile-Laufzeitumgebungen gewährleistet werden. Unter Verwendung konkreter Code-Beispiele wird der bereits existierenden Funktionsumfang aufgezeigt. Zum Abschluss wird auf das geplante MicroProfile-Backlog eingegangen und versucht, den angedachten Schulterschluss mit Java EE 8 und Java EE 9 herzustellen.
Microservices mit Java EE - am Beispiel von IBM LibertyMichael Hofmann
Viele Unternehmen versprechen sich derzeit einiges vom aktuellen Architektur-Trend: Microservices. Unter anderem verbinden sie damit die Hoffnung bestimmte Architektur-Probleme in den Griff zu bekommen: Stichwort Monolith. Dabei stellen sich Entwicklungsorganisationen mit einem Fokus auf Java EE-Technologien die Frage, ob und wie sie mit ihren Java EE-Mitteln optimal Microservices implementieren können. Im Gegenzug erweitern oder verändern Java EE-Hersteller ihre Produkte, um den Trend der Microservices gerecht zu werden. Ziel des Vortrages soll es sein, am Beispiel von IBM's WebSphere Liberty Profile Server zu verdeutlichen, welche Vorteile bzw. Nachteile der Java EE-Ansatz bringen kann. Dabei wird nicht nur auf technologische Aspekte, sondern auch auf organisatorische Problemstellungen eingegangen. Themen wie DevOps und Continous Delivery werden dabei am Rande auch betrachtet. Abgerundet wird das Ganze mit Hinweisen auf bekannte Fallbeispiele, wie z.B. Netflix, um weitere Denkanstöße zu geben.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
1. The Easy Way
To
Secure Microservices
Michael Hofmann
Hofmann IT-Consulting
info@hofmann-itconsulting.de
https://hofmann-itconsulting.de
2. Microservices and Security
●
High number of services
●
Every service has to be secured
●
The more services the higher the risk of security
breaches
●
New vulnerabilities (CVE) must be fixed timely in
every service
●
Malicious actor has more endpoints to exploit
3. Consequence: Zero Trust
●
Do not trust anyone or service, even inside a
trust zone
●
Every request has to be authenticated,
authorized and secured (TLS)
●
JWT: E2E Token or TokenExchangeService
●
On (every) multiple network layers
4. Securing Microservices
●
AuthN and AuthZ on every request
●
TLS for every communication between services
– Certificate management for many services
– High degree of automation necessary
– Missing automation: TLS termination on Ingress, no TLS
inside K8S cluster (typical)
●
Is there a one size fits all solution?
5. OWASP (Open Web Application Security Project)
●
Defense in Depth (Layered Defense)
●
Fail Safe
●
Least Privilege
●
Separation of Duties
●
Economy of Mechanism (Keep it
Simple, Stupid KISS)
●
Complete Mediation
https://github.com/OWASP/DevGuide/blob/master/02-Design/01-Principles%20of%20Security%20Engineering.md
●
Open Design
●
Least Common Mechanism
●
Psychological acceptability
●
Weakest Link
●
Leveraging Existing Components
9. Istio’s Security Statements
●
Security by default: no changes needed to application code and
infrastructure
●
Defense in depth: integrate with existing security systems to
provide multiple layers of defense
●
Zero-trust network: build security solutions on distrusted
networks
●
Authorization and Audit Tools (AAA Tools)
12. NetworkPolicy
●
Additional Network providers: Antrea, Canico,
Cilium, ...
●
NetworkPolicy for K8S on Layer 3 and 4
●
Istio (mainly) operates on Layer 7
●
According to OWASP: Defense in Depth
16. AuthN
●
Can be applied to every other workload
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: ingress-idp
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "my-issuer"
jwksUri: https://idp.mycompany.de/.well-known/jwks.json
●
JWT issued by
specified IDP
●
Multiple issuers
possible
●
Applied to Istio
ingress gateway
17. AuthZ
●
Request without JWT has no authentication identity but is
allowed
●
Allow-nothing rule for complete mesh
●
Applied in root namespace (istio-system)
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-nothing
namespace: istio-system
spec:
#action defaults to ALLOW if not specified
{}
23. Rules Summary
Functionality Rules
TLS termination (gateway) Gateway and Secret
mTLS PeerAuthentication
Network Segmentation NetworkPolicy default-deny-ingress
one per workload
Authentication RequestAuthentication
Authorization AuthorizationPolicy allow-nothing
one per workload
24. AuthZ in MicroProfile
@LoginConfig(authMethod = "MP-JWT", realmName = "MY-REALM")
@DeclareRoles("edit-role, select-role")
@ApplicationPath("/")
public class MyApplication extends Application {
}
@Path("/myendpoint")
@DenyAll
public class MyEndpoint {
@Inject
private JsonWebToken jwt;
@Resource
Principal principal;
@RolesAllowed("edit-role")
@POST
...
}
●
MicroProfile MP-JWT
Spec
●
Roles mapping on JWT
claim: groups
●
Validate against IDP
25. Summary
●
Establish security step-by-step: Starting point: only 6 rules necessary
●
Only 1 rule for mTLS in whole cluster including certificate rotation
●
JWT validation (everywhere)
●
Fine grained authZ control by infrastructure (entry-point, every service):
KISS
●
Customizable authZ control
●
Audit (only stackdriver)
●
Defense in depth (3): NetworkPolicy, AuthorizationPolicy, authZ in service
●
Zero Trust