The document discusses identity on the web and potential solutions. It describes issues with having separate identities and passwords for different services. It then summarizes various single sign-on solutions like Microsoft Live ID, Facebook Connect, and OpenID. OpenID is explained in more detail, covering how it works and its limitations. OAuth is also summarized. The document argues that a simpler specification building on OAuth 2.0 that is easier to implement could help solve the identity problem on the web.
An indepth dive into using Behat/Mink/Selenium for BDD testing.
* http://behat.org
* http://mink.behat.org/
* http://docs.seleniumhq.org/
In this talk I'll cover:
* why and when to use Behat (and when not)
* Installation and configuration of Behat and Mink
* Building Behat Contexts
* Avoiding data deadlocks and "test user account" syndrome
* Introduction to Selenium and testing JavaScript
* Best practises for writing tests (what to avoid, what to aspire for, writing stories like you mean it, how to get your product owners to write them)
* Common gotchas
SEO and Social Media for Multilingual and Multidevice Sitesluckyboost
All the tags you need to put in the header of your page for SEO, Best practice on social media (facebook, twitter, google+, pinterest, linkedin), running a multilingual website and for different types of screens.
OAuth is taking off as a standard way for apps and websites to handle authentication. But OAuth is a fast moving spec that can be hard to pin down.
Why should you use OAuth and what are the business and operational benefits? What's the story with all of the different versions and which one should you choose?
Watch this webinar with Apigee's CTO Gregory Brail and Sr. Architect Brian Pagano for 'big picture straight talk' on these OAuth questions and more.
Account Entrapment: Forcing a Victim into an Attacker's Account. This talk answers the questions: why would anyone do this, wouldn't the victim notice, how does it work, and how do we protect against it.
Account Entrapment - Forcing a Victim into an Attacker’s AccountDenim Group
Account Entrapment: Forcing a Victim into an Attacker's Account. This talk answers the questions: why would anyone do this, wouldn't the victim notice, how does it work, and how do we protect against it. Presented by Ben Broussard, CISSP of Denim Group
An indepth dive into using Behat/Mink/Selenium for BDD testing.
* http://behat.org
* http://mink.behat.org/
* http://docs.seleniumhq.org/
In this talk I'll cover:
* why and when to use Behat (and when not)
* Installation and configuration of Behat and Mink
* Building Behat Contexts
* Avoiding data deadlocks and "test user account" syndrome
* Introduction to Selenium and testing JavaScript
* Best practises for writing tests (what to avoid, what to aspire for, writing stories like you mean it, how to get your product owners to write them)
* Common gotchas
SEO and Social Media for Multilingual and Multidevice Sitesluckyboost
All the tags you need to put in the header of your page for SEO, Best practice on social media (facebook, twitter, google+, pinterest, linkedin), running a multilingual website and for different types of screens.
OAuth is taking off as a standard way for apps and websites to handle authentication. But OAuth is a fast moving spec that can be hard to pin down.
Why should you use OAuth and what are the business and operational benefits? What's the story with all of the different versions and which one should you choose?
Watch this webinar with Apigee's CTO Gregory Brail and Sr. Architect Brian Pagano for 'big picture straight talk' on these OAuth questions and more.
Account Entrapment: Forcing a Victim into an Attacker's Account. This talk answers the questions: why would anyone do this, wouldn't the victim notice, how does it work, and how do we protect against it.
Account Entrapment - Forcing a Victim into an Attacker’s AccountDenim Group
Account Entrapment: Forcing a Victim into an Attacker's Account. This talk answers the questions: why would anyone do this, wouldn't the victim notice, how does it work, and how do we protect against it. Presented by Ben Broussard, CISSP of Denim Group
A talk about browser extensions in Chrome & Safari, why they’re so great for web hackers and how to build them.
Given at JSConf EU on September 26th, 2010 in Berlin, Germany.
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Nicholas Zakas
In the beginning, progressive enhancement was simple: HTML layered with CSS layered with JavaScript. That worked fine when there were two browsers, but in today's world of multiple devices and multiple browsers, it's time for a progressive enhancement reboot. At the core is the understanding that the web is not print - the same rules don't apply. As developers and consumers we've been fooled into thinking about print paradigms for too long. In this talk, you'll learn just how different the web is and how the evolution of progressive enhancement can lead to better user experiences as well as happier developers and users.
As programmers, we concentrate so much on the server/backend side of things that we often forget to measure performance from the Client's viewpoint. This presentation describes a bunch of techniques that can be used to speed up our websites.
People using your web app also use many other online services. You'll often want to pull data from those other services into your app, or publish data from your app out to other services. In this talk, Randy will explain the terminology you need to know, share best practices and techniques for integrating, and walk through two real-world examples. You'll leave with code snippets to help you get started integrating.
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in-depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to get the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
Web Based APIs have become a powerful tool for reaching end users in an increasingly fragmented market. The emergence of public and private APIs have introduced new challenges in identity management and access control. Attend this session to get a crash course in Web APIs, the risks they introduce and the emerging standards that can make them safer to use (including OAuth 2 and Open ID Connect)
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
A talk about browser extensions in Chrome & Safari, why they’re so great for web hackers and how to build them.
Given at JSConf EU on September 26th, 2010 in Berlin, Germany.
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Nicholas Zakas
In the beginning, progressive enhancement was simple: HTML layered with CSS layered with JavaScript. That worked fine when there were two browsers, but in today's world of multiple devices and multiple browsers, it's time for a progressive enhancement reboot. At the core is the understanding that the web is not print - the same rules don't apply. As developers and consumers we've been fooled into thinking about print paradigms for too long. In this talk, you'll learn just how different the web is and how the evolution of progressive enhancement can lead to better user experiences as well as happier developers and users.
As programmers, we concentrate so much on the server/backend side of things that we often forget to measure performance from the Client's viewpoint. This presentation describes a bunch of techniques that can be used to speed up our websites.
People using your web app also use many other online services. You'll often want to pull data from those other services into your app, or publish data from your app out to other services. In this talk, Randy will explain the terminology you need to know, share best practices and techniques for integrating, and walk through two real-world examples. You'll leave with code snippets to help you get started integrating.
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in-depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to get the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
Web Based APIs have become a powerful tool for reaching end users in an increasingly fragmented market. The emergence of public and private APIs have introduced new challenges in identity management and access control. Attend this session to get a crash course in Web APIs, the risks they introduce and the emerging standards that can make them safer to use (including OAuth 2 and Open ID Connect)
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
I used to dislike OAuth (Open Standard for Authentication): how do I implement it? In this slideshow, we delve into consuming it with the Google APIs. We go first into the background and then step-by-step through the process. Follow along today!
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
OAuth is a widespread web-based standard. It’s purpose is to provide safe inter-application access to web resources without having to reveal passwords or other sensible credentials across the wire or to third party applications. After lots of tough discussions for two and a half years version 2.0 of this standard has been released – finally.
This session gives you an introduction to OAuth 2.0. You will understand its concepts as well as its limitations and pitfalls. You will also learn how it feels to write your own OAuth 2.0 based application based on real-life code examples.
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityYu-Shuan Hsieh
In this session, we will review the basic Web authentication and point out security risks of these methods.
To address security issues of user authentication, we will introduce the concept of OTP authentication and how to integrate OTP authentication into your applications.
We also introduce WebAuthn which is a good way to strengthen application's security.
Nowadays many modern web applications are solely relying on JavaScript to render their frontend. But if you want to create mashups, load data from many different places or include external widgets into your site, you are quickly running into boundaries because of browser and security restrictions. In this presentation I will talk about techniques helping you with such problems.
Presentation for the NJIT OpenSocial Hackathon on OpenSocial and it's use cases, OpenSocial Templates and Proxied Content, the OpenSocial Foundation, Apache Shindig and OpenSocial 2.0
Opening up the Social Web - Standards that are bridging the Islands Bastian Hofmann
Social networks are not closed off to the rest of the web anymore. Various standards like ActivityStreams, PubSubHubbub, WebFinger, OpenSocial, Salmon, OEmbed, XAuth or OExchange are emerging to open them up to other websites. I will introduce these protocols, show how they work together, how you can benefit from them and give an outlook on how they will change the world of social networks.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
10. Identity is conveyed by communication
Identity is not fixed but recreated by every
communication with your fellows
Expectations of different people result in
different identities
Lothar Krappmann
15. Passwords are broken
Same password for more than one service
Saved unsecurely in the browser
Names, birthdays, car brand, ...
Disclosed to others
Too short, too simple
Sent over non encrypted connections
39. Authentication vs Authorization
Who is the user?
Is this really user X?
VS
Is X allowed to do something?
Does X have the permission?
Client sites want more than just a
unique identifier (Social Graph)
65. „OpenID has been a burden on support
since the day it was launched.“
„Fewer than 1% of all 37signals users are
currently using OpenID.“
http://productblog.37signals.com/products/2011/01/well-be-retiring-our-
support-of-openid-on-may-1.html
66. „OpenID is the worst possible "solution"
I have ever seen in my entire life to a
problem that most people don't really
have.“
Yishan Wong (Facebook)
http://www.quora.com/What-s-wrong-with-OpenID
67. Failures of OpenID 2.0
Complex to implement
No marketing
Do you have an OpenID?
What is it?
URL as identifier => Bad User Experience
71. Easier to implement
Better user experience
Built on top of OAuth 2.0
More simple specification
wider adption
72. What‘s wrong with OAuth?
Does not work well with non web or
JavaScript based clients
The „Invalid Signature“ Problem
Complicated Flow, many requests
74. What‘s new in OAuth2? (Draft 10)
No signatures
Cookie-like Bearer Token
Different client profiles
No Token Secrets
No Request Tokens
Mandatory TSL/SSL
Much more flexible regarding extensions
http://tools.ietf.org/html/draft-ietf-oauth-v2
101. Client Backend
lanyrd. api.twitter.com
com
AJAX
Access-Control-Allow-Origin: *
http://www.w3.org/TR/cors/
102. What happend to signatures?
Bearer Tokens are fine over secure connection
Vulnerable if discovery is introduced
Or if TSL/SSL is not possible
So OAuth 1.0 signatures alternatively available
103. Scopes
Optional parameter for provider
specific implementations
Additional return values
Access Control
104. Scope: „openid“
With access token additional values are returned
UserID: URL to Portable Contacts endpoint
Timestamp
Signature
http://openidconnect.com/
107. OpenID Connect
Discovery
Get Identifier of user
Call /.well-‐known/host-‐meta file at
the domain of the user‘s provider
Look for a link pointing to the OpenID
Connect endpoints in the returned
LRDD
120. Summing it up
• We need a single sign on system for the
web
• Proprietary solutions are bad for users, site
owners and developers
• OpenID is cool, but has some problems
• A new more simple and flexible spec is
coming up
• Browser vendors are working to solve this
problem in the browser