Web Application Security Reloaded for the HTML5 era - Designing and implementing secure Single Page Applications - Devoxx UK
Ten years after the first OWASP Top Ten list of Web Application Security risks has been published, the basics of protecting a typical JEE/Rails/PHP/.NET, webapp are becoming mainstream knowledge (although never enough, as the endless series of high profile vulerabilities demonstates).
But the industry-wide move towards HTML5 and Single Page Applications, motivated by the opportunity for more sophisticated interaction and UX, is again upsetting the balance between Hackers and Developers. A wave of new-generation front-end technologies such as Web Components, AngularJS and Ember is Developers are attracting Developers with their combination of productivity and innovative UX, but at the same time opens the door to new vulnerabilities and security challenges.
This talk will summarize the main principles of Secure Coding, and will discuss their application to HTML5 applications that interact with REST or WebSocket backends to prevent major risks (including OWASP Top Ten).
A concrete example will demonstrate the use of tools and libraries, from RBAC to JWT, from Spring Security to AngularJS modules for implementing secure HTML5/JS apps.
Attracted by AngularJS power and simplicity, you have chosen it for your next project. Getting started with DataBinding, Scopes and Controllers was relatively quick and easy...
But what do you need to effectively bring a complex application to Production?
We discuss
the new Component API,
lifecycle callbacks - $onChanges
selecting different ways for components to collaborate
choosing between Two-Way Binding and One-Way Data Flow,
"smart" vs "dumb" components,
We ‘ll share recipes from our real world experience so that you can productively & reliably build a complex application out of reusable Components.
Mobile HTML5 websites and Hybrid Apps with AngularJSCarlo Bonamico
AngularJS lets you use today the features of next-generation web standards, making front-end development more productive and fun.
What's better, it provides its "magic" tools to both web AND mobile apps: databinding, dependency injection, modularity, composable and event-driven architecture
This code-based interactive talk will share some lessons learned: how to structure applications, tune bandwidth and performance, interact with mobile-specific elements such as touch, sensors and finally native-looking UX with Ionic Framework
AngularJS: How to code today with tomorrow tools - Codemotion Milan 2013Carlo Bonamico
Many popular online services have demonstrated the power of javascript, html5 and mobile technologies. However, designing, implementing & maintaining a rich application for both web and mobile browsers is a challenging task given the characteristics of javascript. We will share our real-world experience with AngularJS – an open source, robust and brilliantly usable tool which will make your app mobile and designer-friendly, extremely modular and reusable (with Dependency Injection!), and even easily testable (in javascript!), in less than half the code. Expect few slides and lots of code samples and tips from our project experiences.
References:
http://mozilla.github.io/brick/docs.html
http://www.polymer-project.org/
If the hundred year language (from 2113) were available today, would we want to program in it?
Paul Graham http://paulgraham.com/hundred.html
Enter AngularJS
http://www.angularjs.org
And almost transparently upgrade as soon as they are available
http://www.2ality.com/2013/05/web-components-angular-ember.html
Play with AngularJS online
Thanks http://plnkr.co
So get your training!
Codemotion training (4-5 february and 4-5 march 2014)
http://training.codemotion.it/
To learn more
Online tutorials and video trainings:
http://www.yearofmoo.com/
http://egghead.io
All links and reference from my Codemotion Workshop
https://github.com/carlobonamico/angularjs-quickstart
https://github.com/carlobonamico/angularjs-quickstart/blob/master/references.md
Full lab from my Codemotion Workshop
https://github.com/carlobonamico/angularjs-quickstart
Web Components
http://www.w3.org/TR/components-intro
Youtube video "Web Components in Action"
http://css-tricks.com/modular-future-web-components
Books
http://www.ng-book.com
AngularJS and .NET http://henriquat.re
My current plans
integrate AngularJS with my favourite Open Source server-side dev platform
http://www.manydesigns.com/en/portofino
Thank you!
Explore these slides
https://github.com/carlobonamico/angularjs-future-web-development-slides
My presentations
http://slideshare.net/carlo.bonamico
https://twitter.com/carlobonamico
Angular 1.x reloaded: improve your app now! and get ready for 2.0Carlo Bonamico
The buzz about the upcoming major reincarnation of AngularJS, with its hot mix of excitement and critics, has somehow shadowed the immediate gains enabled by the recent 1.3 and 1.4 releases.
This code-based talk will introduce concepts such as the "Controller As" syntax, component-based directives, the new router and bind once, to demonstrate how mixing these currently available Angular features with good design patterns (and a bit of ES6) provides concrete improvements in performance, modularity, testability and developer productivity to our apps now.
Furthermore, it will show how the main ideas at the basis of Angular 2.0 (API simplification, consistency, even more componentization and interoperability with ES6 and Web Components) can be applied to the design and implementation of 1.x applications, helping us both being more productive now & simplifying the upgrade to the "new" Angular.
Attracted by AngularJS power and simplicity, you have chosen it for your next project. Getting started with DataBinding, Scopes and Controllers was relatively quick and easy...
But what do you need to effectively bring a complex application to Production?
We discuss
the new Component API,
lifecycle callbacks - $onChanges
selecting different ways for components to collaborate
choosing between Two-Way Binding and One-Way Data Flow,
"smart" vs "dumb" components,
We ‘ll share recipes from our real world experience so that you can productively & reliably build a complex application out of reusable Components.
Mobile HTML5 websites and Hybrid Apps with AngularJSCarlo Bonamico
AngularJS lets you use today the features of next-generation web standards, making front-end development more productive and fun.
What's better, it provides its "magic" tools to both web AND mobile apps: databinding, dependency injection, modularity, composable and event-driven architecture
This code-based interactive talk will share some lessons learned: how to structure applications, tune bandwidth and performance, interact with mobile-specific elements such as touch, sensors and finally native-looking UX with Ionic Framework
AngularJS: How to code today with tomorrow tools - Codemotion Milan 2013Carlo Bonamico
Many popular online services have demonstrated the power of javascript, html5 and mobile technologies. However, designing, implementing & maintaining a rich application for both web and mobile browsers is a challenging task given the characteristics of javascript. We will share our real-world experience with AngularJS – an open source, robust and brilliantly usable tool which will make your app mobile and designer-friendly, extremely modular and reusable (with Dependency Injection!), and even easily testable (in javascript!), in less than half the code. Expect few slides and lots of code samples and tips from our project experiences.
References:
http://mozilla.github.io/brick/docs.html
http://www.polymer-project.org/
If the hundred year language (from 2113) were available today, would we want to program in it?
Paul Graham http://paulgraham.com/hundred.html
Enter AngularJS
http://www.angularjs.org
And almost transparently upgrade as soon as they are available
http://www.2ality.com/2013/05/web-components-angular-ember.html
Play with AngularJS online
Thanks http://plnkr.co
So get your training!
Codemotion training (4-5 february and 4-5 march 2014)
http://training.codemotion.it/
To learn more
Online tutorials and video trainings:
http://www.yearofmoo.com/
http://egghead.io
All links and reference from my Codemotion Workshop
https://github.com/carlobonamico/angularjs-quickstart
https://github.com/carlobonamico/angularjs-quickstart/blob/master/references.md
Full lab from my Codemotion Workshop
https://github.com/carlobonamico/angularjs-quickstart
Web Components
http://www.w3.org/TR/components-intro
Youtube video "Web Components in Action"
http://css-tricks.com/modular-future-web-components
Books
http://www.ng-book.com
AngularJS and .NET http://henriquat.re
My current plans
integrate AngularJS with my favourite Open Source server-side dev platform
http://www.manydesigns.com/en/portofino
Thank you!
Explore these slides
https://github.com/carlobonamico/angularjs-future-web-development-slides
My presentations
http://slideshare.net/carlo.bonamico
https://twitter.com/carlobonamico
Angular 1.x reloaded: improve your app now! and get ready for 2.0Carlo Bonamico
The buzz about the upcoming major reincarnation of AngularJS, with its hot mix of excitement and critics, has somehow shadowed the immediate gains enabled by the recent 1.3 and 1.4 releases.
This code-based talk will introduce concepts such as the "Controller As" syntax, component-based directives, the new router and bind once, to demonstrate how mixing these currently available Angular features with good design patterns (and a bit of ES6) provides concrete improvements in performance, modularity, testability and developer productivity to our apps now.
Furthermore, it will show how the main ideas at the basis of Angular 2.0 (API simplification, consistency, even more componentization and interoperability with ES6 and Web Components) can be applied to the design and implementation of 1.x applications, helping us both being more productive now & simplifying the upgrade to the "new" Angular.
Presented at the 2014 Cow Town Code Camp in Ft. Worth, TX - http://CowTownCodeCamp.com - Blog Post: http://developingux.com/2014/07/23/modern-web-development/
The world is moving towards ASP.NET MVC.. but what about your legacy WebForms development. What are the things you can do today to make your WebForms more testable, reliable and even increase the SEO and usability of your WebForms.
This talk will walk through applying the Model View Presenter pattern to your ASP.NET WebForm applications and introduce you to some additional enhancements that Microsoft has made to WebForms recently to make your site and life that much better!
Web frameworks are in a time of transition, as technologies like rich Ajax applications and HTML5 emerge. In this presentation, open source frameworks expert Matt Raible reveals which frameworks are fading fast and which will remain relevant for the near and far-off future.
Mobile applications development - why should you start learning it right now?Natalija Rodionova
Mobile apps development- why should you start learning it right now?
- 7 reasons why should you start learning how to develop a mobile app?
- How much do mobile apps developers earn?
- 10 main instruments of a mobile app developer
- 5 technologies you should learn to be able to develop mobile
- 7 advices to start learning mobile apps development
- 5 industries which need mobile apps developers
MVVM+MEF session for Microsoft WebDay 2010 in Oporto.
http://www.mswebday.com/
An overview on the MVVM (Model View ViewModel) pattern and MEF (Managed Extensibility Framework) in Silverlight. When and how to use them.
The professionals who just want to know about the topmost web application development frameworks must go through this blog. For the top 10 development Framework introduction, positive and negative aspects are clearly mentioned.
Spring Interview Questions and Answers | Spring Tutorial | Spring Framework T...Edureka!
This Edureka "Spring Interview Questions and Answers" tutorial will help you to prepare yourself for Spring Framework Interviews. This tutorial is ideal for freshers as well as experienced also. Learn about the most important Spring Framework interview questions and answers and know what will set you apart in the interview process. Below are the topics covered in this tutorial:
1. General Questions
2. Dependency Injection/ IoC
3. Beans
4. Annotations
5. Data Access
6. Aspect Oriented Programming(AOP)
7. MVC
Die Qual der Wahl bei den Single Page Application FrameworksJonas Bandi
Dieser Vortrag gibt einen Überblick über die aktuellen Single Page Applikation Frameworks und versucht diese zu vergleichen. Der Fokus liegt dabei auf den aktuellen "Top 3" der SPA Frameworks: Angular, React und Vue.js. Der Vortrag schaut aber auch über den Tellerrand und beleuchtet aktuelle Trends und Entwicklungen. Dabei werden die neueren Ansätze von Balzor, Vaadin und Flutter den traditionellen SPA Frameworks gegenübergestellt.
Presented at the 2014 Cow Town Code Camp in Ft. Worth, TX - http://CowTownCodeCamp.com - Blog Post: http://developingux.com/2014/07/23/modern-web-development/
The world is moving towards ASP.NET MVC.. but what about your legacy WebForms development. What are the things you can do today to make your WebForms more testable, reliable and even increase the SEO and usability of your WebForms.
This talk will walk through applying the Model View Presenter pattern to your ASP.NET WebForm applications and introduce you to some additional enhancements that Microsoft has made to WebForms recently to make your site and life that much better!
Web frameworks are in a time of transition, as technologies like rich Ajax applications and HTML5 emerge. In this presentation, open source frameworks expert Matt Raible reveals which frameworks are fading fast and which will remain relevant for the near and far-off future.
Mobile applications development - why should you start learning it right now?Natalija Rodionova
Mobile apps development- why should you start learning it right now?
- 7 reasons why should you start learning how to develop a mobile app?
- How much do mobile apps developers earn?
- 10 main instruments of a mobile app developer
- 5 technologies you should learn to be able to develop mobile
- 7 advices to start learning mobile apps development
- 5 industries which need mobile apps developers
MVVM+MEF session for Microsoft WebDay 2010 in Oporto.
http://www.mswebday.com/
An overview on the MVVM (Model View ViewModel) pattern and MEF (Managed Extensibility Framework) in Silverlight. When and how to use them.
The professionals who just want to know about the topmost web application development frameworks must go through this blog. For the top 10 development Framework introduction, positive and negative aspects are clearly mentioned.
Spring Interview Questions and Answers | Spring Tutorial | Spring Framework T...Edureka!
This Edureka "Spring Interview Questions and Answers" tutorial will help you to prepare yourself for Spring Framework Interviews. This tutorial is ideal for freshers as well as experienced also. Learn about the most important Spring Framework interview questions and answers and know what will set you apart in the interview process. Below are the topics covered in this tutorial:
1. General Questions
2. Dependency Injection/ IoC
3. Beans
4. Annotations
5. Data Access
6. Aspect Oriented Programming(AOP)
7. MVC
Die Qual der Wahl bei den Single Page Application FrameworksJonas Bandi
Dieser Vortrag gibt einen Überblick über die aktuellen Single Page Applikation Frameworks und versucht diese zu vergleichen. Der Fokus liegt dabei auf den aktuellen "Top 3" der SPA Frameworks: Angular, React und Vue.js. Der Vortrag schaut aber auch über den Tellerrand und beleuchtet aktuelle Trends und Entwicklungen. Dabei werden die neueren Ansätze von Balzor, Vaadin und Flutter den traditionellen SPA Frameworks gegenübergestellt.
Protection and Verification of Security Design FlawsHdiv Security
Spring I/O 2017 - 18 -19 May, Barcelona
Software vulnerabilities come in two basic flavors: security bugs and design flaws.
Security bugs, such as the popular SQL Injection and Cross-site Scripting vulnerabilities, are errors in coding and because all of them follow the same specific patterns, they can be detected easily by automated tools, even reporting the file and line where the security bug has been found making it simple for software developers to resolve them.
However, half of the software related security issues can not be detected by tools.
They are design flaws embedded in software and only a person who is familiar with the scope of the web application can identify such vulnerabilities. Until now, they had to be detected manually through pentesting, often resulting in the wholesale redesign of the application architecture.
This represents a huge problem for any business or organization, not only due to the economic cost, but more importantly because of the impact on time to market of applications.
So, what can we do to solve this problem?
This talk presents a solution to protect applications against design flaws and verify them automatically with application security architecture and testing tools working together for the first time.
Following a practical approach this talk presents practical examples using Spring reference applications (PetClinic) based on Spring MVC and Spring REST and using well known pentesting tools such as Burp.
How to migrate large project from Angular to ReactTomasz Bak
Learn migration strategies for large front-end migration projects with an emphasis on continuous business value delivery.
Identify the Bounded Contexts in your application and
make your application more modular.
* Transform - create a parallel new view
* Coexist - leave the existing view for a time, so the functionality is implemented incrementally
* Eliminate - remove the old functionality as users stop using it
GeeCON Microservices 2015 scaling micro services at giltAdrian Trenaman
An evolution of the talk I gave at CraftConf earlier this year, talking about software architecture and micro-services at Gilt. Some new additions include ownership, service discovery and service anatomy.
Application security for the modern web - ISSA South Texas Houston DevOpsPhillip Maddux
Presented on September 9, 2018 at ISSA South Texas Houston DevOps conference (http://www.southtexasissa.org/).
Over the last several years we’ve witnessed, and experienced, an advance towards new approaches in web technologies and the processes to deploy web applications. In this talk, we’ll explore and describe the “Modern Web”, discuss observations on the evolution of the Secure SDLC, recognize existing challenges in achieving real-time threat visibility once web applications are deployed to production, and finally, walk through the concepts that address the challenges in fast paced “agile” development cycles.
The future of web development write once, run everywhere with angular.js and ...Mark Roden
This slide deck was used in support of BTE 102 - The future of web development write once, run everywhere with angular.js and domino at IBMConnectED 2015
Presentation was given with Mark Leusink
The final talk of the Frontend2010 conference in Oslo, Norway talking about the need to make technical advancements interesting for people outside our comfort zone and about the benefits of using all the web technologies at our disposal to built bullet-proof solutions rather than flimsy showcases of what technologies could be used for.
My presentation about how to couple Asp.NEt MVC and Angular on how to use this 2 web technologies to achieve a solution. This presentation born from the experience i had in the last 1 year with this couple.
Building modern web sites with ASP .Net Web API, WebSockets and RSignalAlessandro Pilotti
My session at ITCamp.ro 2012:
Web site development is an ever changing landscape. Thanks to the latest web browser technologies it's possible to create highly responsive single page applications, requiring a new approach to design and development on the server side. During this session we'll see ho to use .Net technologies to get the best out of the new Web API, WebSockets and the excellent RSignal framework.
ITKonekt 2023: The Busy Platform Engineers Guide to API GatewaysDaniel Bryant
API Gateways are certainly not a new technology, but the way in which they are being deployed, configured, and operated within modern platforms is forcing many of us to rethink our approach. Can we simply lift and shift our existing gateway into the cloud? Is our API gateway GitOps friendly (and does it need to be)? And what about service meshes, CNI, eBPF, and...
Join this talk for a whistle stop tour of modern API gateways, which a focus on deploying and managing this technology within Kubernetes (on which many modern platforms are built):
- Understand why platform engineers should care about API Gateways today
- Learn about API gateways, options, and requirements for modern platforms
- Identify key considerations for migrating to the cloud or building a new platform on Kubernetes
- Understand how cloud native workflows impact the user/developer experience (UX/DX) of an API gateway
- Explore the components of a complete "edge stack" that supports end-to-end development flows
Similar to Web Application Security Reloaded for the HTML5 era (20)
Slides for the talk with Sonia Pini @Codemotion Milan 2018
So you want to build your (Angular) Component Library? We can help
https://milan2018.codemotionworld.com/conference/
Most modern Front-End frameworks are Component-Oriented, taking advantage of encapsulation and separation of responsibilities to improve developer productivity and application robustness. However, to fully exploit the power of components, you need to aggregate them in a consistent and modular set. In this talk we share our experience in building several component libraries, from API Design concepts to advanced component interaction patterns, from packaging and documentation to refactoring & interoperability. Examples are Angular-based, but most concepts apply to all Front-End dev approaches.
Real World AngularJS recipes: beyond TodoMVCCarlo Bonamico
Codemotion Rome 2015 Talk with Sonia Pini
You got captured by Angular power and simplicity, and have chosen it for your next project (or you are thinking about it). Creating a prototype with Data Binding, scopes and MVVM was relatively quick and easy. But what do you need to effectively complete and bring a complex application in Production? We will discuss practical recipes from our real world experiences for choosing between ES5, ES6 and TypeScript, designing a modular, event-driven application structure, creating or selecting components and directives, implementing authentication, managing errors and logging, testing and packaging.
Infrastructure as data with Ansible: systems and cloud
deployment and management for the lazy developer
Abstract: Great programmers and sysadmins are lazy people: rightly,
they prefer avoiding manual, time consuming and error-prone tasks such
as installing and configuring a Linux/Apache/Tomcat cluster for the
tenth time.
Ansible, an infrastructure (server, cloud) deployment automation &
configuration both powerful AND simple (in most cases simpler than
shell scripts and maven poms!), will make developers and it staff more
productive and effective.
http://www.ansible.cc
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
In the ever-evolving landscape of technology, enterprise software development is undergoing a significant transformation. Traditional coding methods are being challenged by innovative no-code solutions, which promise to streamline and democratize the software development process.
This shift is particularly impactful for enterprises, which require robust, scalable, and efficient software to manage their operations. In this article, we will explore the various facets of enterprise software development with no-code solutions, examining their benefits, challenges, and the future potential they hold.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Web Application Security Reloaded for the HTML5 era
1. @carlobonamico#devoxxuk
Web Application Security
Reloaded for the HTML5 era
Carlo Bonamico
@carlobonamico
carlo.bonamico@nispro.it
http://www.nispro.it
Designing and implementing
secure Single Page Applications
https://wall-simple.sli.do/#/event/cmnxxfl0/section/18289/questions
2. @carlobonamico#devoxxuk
About me
Speaker Bio
– passionate software developer since the C128 era
– PhD and research at the University of Genova / CNIT National TLC
Research Consortium
– exciting time at startup Eptamedia
– now a Solution Architect and Senior Trainer at NIS s.r.l.
between Italy and new London office
Current projects & interests
– training/mentoring teams on AngularJS, Web Security, Continuous
Integration & Delivery
– creating component-based Angular applications
– security reviews and assessments
3. @carlobonamico#devoxxuk
Abstract
Ten years after the first OWASP Top Ten list of Web Application Security risks has been
published, the basics of protecting a typical JEE/Rails/PHP/.NET, webapp are becoming
mainstream knowledge (although never enough, as the endless series of high profile
vulerabilities demonstates).
But the industry-wide move towards HTML5 and Single Page Applications, motivated by the
opportunity for more sophisticated interaction and UX, is again upsetting the balance
between Hackers and Developers. A wave of new-generation front-end technologies such as
Web Components, AngularJS and Ember is Developers are attracting Developers with their
combination of productivity and innovative UX, but at the same time opens the door to new
vulnerabilities and security challenges.
This talk will summarize the main principles of Secure Coding, and will discuss their
application to HTML5 applications that interact with REST or WebSocket backends to
prevent major risks (including OWASP Top Ten).
A concrete example will demonstrate the use of tools and libraries, from RBAC to JWT, from
Spring Security to AngularJS modules for implementing secure HTML5/JS apps.
4. @carlobonamico#devoxxuk
Evolution of Application Security
When I taught my first Web Application Security training
– most participants had never heard of SQL Injection and XSS
Thanks to many industry and community players (especially OWASP),
– not to mention many high-profile incidents,
things have started to change... Application Security
Ensuring Application
guarantees
•Confidentiality
•Integrity
•Availability
•Accountability
of the Information
it processes
5. @carlobonamico#devoxxuk
Are we doing better?
It's 2015... we were promised flying cars... and what we got is...
See also
– http://www.cvedetails.com/vulnerabilities-by-types.php
– https://www.whitehatsec.com/resource/stats.html
6. @carlobonamico#devoxxuk
Enter HTML5
After years of playing catch-up with Desktop,
the Web is now often the default development target
– powerful APIs
– interactivity
– always up-to-date & cross-platform
the mobile web just adds more push to that
=> the rise of the Single Page Application
Somewhat ill-defined term, but you know what I mean
– HTML templates, statically served
– client retrieves data from REST services / websockets
– views dynamically rendered on the client side
8. @carlobonamico#devoxxuk
First problem
Spiderman's Uncle Ben version:
With great power comes great responsibility...
The Web Application Security version:
With great power come more holes and greater risks!
– increased Surface of Attack
Websockets, storage, apis...
– https://html5sec.org/
– http://html5security.org/
– and once you penetrate the browser, you can do basically everything
and I mean it: calling APIs, install keyloggers, redirect user behaviour,
capture private data
–http://xenotix.in/
“most attack were already possible...
but they are more powerful now”
http://w3af.org/understanding-html5-security
9. @carlobonamico#devoxxuk
Second problem
We are undergoing a wide architectural shift from
To
So many security assumptions do not hold true anymore!
ServerPOST params
HTML
Browser
Form-based
input
HTML rendering
HTML templating
Controllers,
Interaction
Logic
Business Logic
Server
POST JSON
JSON
Browser
HTML rendering
HTML templating
Business Logic
Interaction
Logic
REST
endpoints
10. @carlobonamico#devoxxuk
The good side
The typical modern HTML5 application architecture has a single/main
advantage:
it forces at the very least a basic degree of separation between UI
and business logic
– even more so with Angular, Ember, React
In our consulting/project/problem solving experience,
the single biggest cause of
– quality
– performance
– security
problems is....
11. @carlobonamico#devoxxuk
The good side
The typical modern HTML5 application architecture has a single/main
advantage:
it forces at the very least a basic degree of separation between UI
and business logic
– even more so with Angular, Ember, React
In our consulting/project/problem solving experience,
the single biggest cause of
– quality
– performance
– security
problems is.... the mixing & coupling of UI and business logic
12. @carlobonamico#devoxxuk
There's hope...
If we properly understand the
new architectural paradigm,
we can turn it into an
advantage
Follow the principles
of secure coding
– Do not trust inputs
– Minimize attack surface area
(and window of opportunity)
– Establish secure defaults
– Principle of Least privilege
– Principle of Defense in depth
– Fail securely
– Don’t trust services
– Separation of duties (vs
configuration)
– Avoid security by obscurity
– Keep security simple
– Fix security issues correctly
13. @carlobonamico#devoxxuk
Top Ten Web Application Risks
– A1-Injection
– A2-Broken Authentication and Session Management
– A3-Cross-Site Scripting (XSS)
– A4-Insecure Direct Object References
– A5-Security Misconfiguration
– A6-Sensitive Data Exposure
– A7-Missing Function Level Access Control
– A8-Cross-Site Request Forgery (CSRF)
– A9-Using Components with Known Vulnerabilities
– A10-Unvalidated Redirects and Forwards
What's different between Request/Response apps and HTML5/SPAs?
14. @carlobonamico#devoxxuk
What changes with HTML5/SPAs?
RED → more critical ORANGE → different solution GREEN → easier
– A1-Injection → same problem, same solution
– A2-Broken Authentication and Session Management
– A3-Cross-Site Scripting (XSS)
– A4-Insecure Direct Object References
– A5-Security Misconfiguration
– A6-Sensitive Data Exposure
– A7-Missing Function Level Access Control
– A8-Cross-Site Request Forgery (CSRF)
– A9-Using Components with Known Vulnerabilities
– A10-Unvalidated Redirects and Forwards
We will focus on those!
16. @carlobonamico#devoxxuk
A3 - XSS
Cross-Site-Scripting means that attacker can insert custom js code
which is then displayed in the user browser
– stored (input js in a field → DB → sent back to the page)
– reflected (input js in the url, send the url to a user, js executed)
– DOM-based (input triggers js logic that manipulates the DOM and
insert custom js)
Remember: any external input is UNTRUSTED!
– so we must avoid mixing user input with js code
17. @carlobonamico#devoxxuk
A3 – Preventing XSS
Looks easy: but HTML allows for multiple mixed execution contexts:
– JS within CSS within HTML within a frame of another HTML …
The proper solution is ESCAPING: encoding the data so that the
browser properly interprets it as plain text (and not js)
– https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Che
at_Sheet
In a well designed SPA,
– clear inputs paths
REST service responses, user inputs, url bar, ...
– HTML generation through the framework templating engine
– so it is easier to intercept and escape outputs
18. @carlobonamico#devoxxuk
A3 – Preventing XSS with Angular
Since 1.3, the HTML compiler will escape all {{}} & ngbind by default
– https://www.ng-book.com/p/Security
– http://java.dzone.com/articles/angularjs-how-handle-xss
Be careful if you must include user-generated HTML (e.g. in rich text editors)
– take advantage of the services and directives
– ngbindhtml (from angular-sanitize)
print as is removing “script” tags (beware of img tags)
fully customizable with
–$sceProvider & $SanitizeProvider
– https://docs.angularjs.org/guide/security
Please note:
– escaping in the REST services is not always feasible/useful
– they can be consumed by mobile Apps and other clients
19. @carlobonamico#devoxxuk
More Angular-specific guidelines
Further suggesions:
– prefer model-based logic
– avoid mixing client side and server side templating
– clear template / data separation
– avoid dynamically generating templates from user input
– do not run input in $eval
20. @carlobonamico#devoxxuk
A3 – XSS - Tools
Static Code Analysis for DOM-based and reflected XSS
– Mozilla ScanJS
https://github.com/mozilla/scanjs
– JSPRime
https://github.com/dpnishant/jsprime
More references
– https://blog.nvisium.com/2014/06/javascript-security-tools.html
21. @carlobonamico#devoxxuk
Remember
Most vulnerabilities are not so serious by themselves
– but became terrible if mixed
think Pepsi + Mentos
XSS is an enabler for
– phishing
– browser-based MITM
– session / auth token stealing
– sensitive data extraction
– img courtesy of http://www.delawaretoday.com/
23. @carlobonamico#devoxxuk
Securing cookies
If your cookie is stolen
– via Cross-Site-Scripting, interception, ...
attacker is granted access to the session
At the very least
– always use HTTPS / TLS
– set secure flag
– set HTTPOnly flag
Also, do not store sensitive data in clear in
localStorage / sessionStorage indexDB
25. @carlobonamico#devoxxuk
A5 – Security misconfiguration
A single MITM (Man in the Middle) and your “done”
– as the attacker can put arbitrary code in your browser
– so,
https://www.eff.org/Https-everywhere
Be careful with CORS
– Avoid AllowOrigin “*” unless you have very strong authentication
and authorization
Remember to tell the browser to enable stronger protection
– typically through headers such as CSP
– https://www.owasp.org/index.php/List_of_useful_HTTP_headers
28. @carlobonamico#devoxxuk
What is Authentication
Verifying the user identity
– independently from his profile / authorizations
Several elements:
– where valid users are listed (Realm)
internal, file, DB, LDAP, Active Directory, SSO Server
– what info is used to establish user identity
one or more “factors”: username, password, OTP, certificate...
– how identity is checked the first time
login → credentials validation
– how identity is checked on subsequent requests
validation
29. @carlobonamico#devoxxuk
Traditional Request-Response Applications
e.g. JSP / ASP / PHP
– login page
– successful login creates a session
– protected pages accessed within the session
– data and access control filtered on the server side
often within views or controllers
Browser
Server
POST Login Data
GET secured page
SESSIONID = 5
SESSIONID = 5 auth
=
true?
crede
ntials
valid?
Realm
filtered
HTML
page
SID AUTH DATA
5 true carlo,admi
n
30. @carlobonamico#devoxxuk
Issues with Cookie + Session Authentication
Authentication requires
– checking credentials against a realm
– keeping auth in session state on the server
– sessionid sent in a cookie
Issues
– state replication in clustered servers vs sticky sessions
Single-Sign-On across servers?
– More complex scenarios are possible
e.g. SSO Server, like CAS
– typically cookie based →
all server must be in same domain
Remember:
Cookies are sent
with ANY request
to the same domain
(including images)
31. @carlobonamico#devoxxuk
Cookie-based authentication in Single Page
Applications
Can't SPA just do the same?
– login form POSTs to login service
– successful login creates a session and sets a cookie
– protected Pages & REST services accessed within the session
data and access control filtered … where ?
Browser
Server
POST Login Data
GET secured JSON
SESSIONID = 5
SID AUTH DATA
5 true carlo,admi
nSESSIONID = 5 auth
=
true?{
...
}
crede
ntials
valid?
Realm
32. @carlobonamico#devoxxuk
Authentication vs Session Management
Pros
– simple to implement
Cons
– not suited to stateless nature of REST services
Authentication vs Sessions
– They are two different things, although often used together
– REST services
tend to
be stateless
Unauthenticated Authenticated
Stateless Plain HTTP
e.g. Wikipedia
REST
e.g. Google APIs
With Session Session cookies
e.g. Amazon
JSP/ASP/PHP
e.g. Intranet Apps
34. @carlobonamico#devoxxuk
Token-based Authentication
Login establishes a valid token
– each request must be presented with the token
– the server can check token validity at each request
– https://auth0.com/blog/2014/01/07/angularjs-authentication-with-
cookies-vs-token/
Browser
Server
POST Login Data
GET secured JSON
TOKEN = 5
TOKEN = 5 token
valid?
crede
ntials
valid?
Realm
no session!
35. @carlobonamico#devoxxuk
Issues
Given a token
– how do you know which is the current user?
On the server
– how expensive it is to check the token at each request?
Can you share a token across services?
– can you validate it without connecting to a DB / SSO Server?
37. @carlobonamico#devoxxuk
Creating and Validating Tokens
Simplest way: checking them against a list of valid tokens
– in memory → similar to session-based auth
replication problems
– on a DB
easier clustering, must consider performance
– on an external server
SSO for free, must evaluate performance & complexity
38. @carlobonamico#devoxxuk
JWT - http://jwt.io
JWT = encoded & signed Json object containing
– Access token
– Claims (custom: session, domain, username...)
– Expiration
– and Digital Signature! → verifiable with just the public key
Returned by login REST service
Sent as header at each request
–Authentication: bearer eyJhbGciO
.eyJzdWIiOWV9.eoaDV
Checked by REST backed at each request
– can also be used with websockets
{
“user”:”carlo”,
“domain”:”NIS”,
“expiry”: ..
}
39. @carlobonamico#devoxxuk
JWT in angular
Angular Library
– https://github.com/auth0/angular-jwt
Extensible hooks for
– storing and retrieving tokens on the client
Interceptors for
– retrieving tokens from server Response Headers
– optionally refresh tokens
– automatically sending tokens at each request
Robust and simple to user
bower install angularjwt
40. @carlobonamico#devoxxuk
Token-based Auth in AngularJs
Ingredients
REST endpoints
– /auth/login
Input parameters: credentials
Response: token
– /auth/logout
Input parameters: token
$http or $resource based Client Service
AuthenticationService
– login() logout() methods wrapping the above
– plus isAuthenticated() and possibly currentUser()
44. @carlobonamico#devoxxuk
Saving the token
In both cases, register a then() on the promise
$http(...).then(function(response) {
currentToken.jwt = response.data.access_token;
}
Store it locally
If you need, parse it
tokenPayload = jwtHelper.decodeToken(currentToken.jwt);
date = jwtHelper.getTokenExpirationDate(currentToken.jwt);
bool = jwtHelper.isTokenExpired(currentToken.jwt);
49. @carlobonamico#devoxxuk
Token Storage vs Session Duration
In memory or sessionStorage
– works only on current tab
– automatically closed
In localStorage
– persistent
– work across multiple tabs
– requires explicit expiration
https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-
html5-web-storage/
50. @carlobonamico#devoxxuk
Sending Tokens - Cookies vs Headers
Cookies
Pros
– sent automatically
– no code required on the client
Cons
– sent automatically
– even when do not want
e.g. <IMG src= in email
– less control on validity
– stored on client disk
Headers
Pros
– sent only explicitely
– not stored on disk
– unless you want to
– more control
– also prevents CSRF
Cons
– require code on the client side
– but this is normal in SPAs
https://auth0.com/blog/2014/01/27/
ten-things-you-should-know-about-
tokens-and-cookies/
52. @carlobonamico#devoxxuk
Routing support for Authentication &
Authorization
Need to configure Routing for
– redirect to login if not authenticated
– redirect to login if token expired
– optionally, redirect back to original URL
– redirect to error page if route not authorized in the current profile
Difficult to do in the default ngRoute
– Possible in ui-router
Way easier in angular-new-router
– https://medium.com/angularjs-meetup-south-london/angular-ng-
conf-2015-media-25dbe6250154
54. @carlobonamico#devoxxuk
CSRF
See section “Security Considerations” on
– https://docs.angularjs.org/api/ng/service/$http
Angular automatically manages CSRF-prevention tokens if you use cookies
The server needs to set a token
– JavaScript readable session cookie called XSRF-TOKEN on the first HTTP GET request
On subsequent XHR requests
– the server can verify that the cookie matches X-XSRF-TOKEN HTTP header
– the token must be unique for each user and must be verifiable by the server
e.g. a digest of your site's authentication cookie with a salt for added security
Also,
– Angular automatically supports JSONP-prevention characters
http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.as
px/
56. @carlobonamico#devoxxuk
Typical Server side application
Authorization is verified
– in controllers
if (user.hasRole(“admin”) == true)
– through filters / interceptors
– in views
<hasRole role=”admin”> or <if (...)>
confidential info
</hasRole>
Client Browser only receives content it has rights to
– (roughly) works even if security checks are “spaghetti code” in the
JSP/ASP/PHP templates
57. @carlobonamico#devoxxuk
And in a SPA?
Would this be secure?
In users-view.html
<button ngif=”authCtrl.isAdmin”
ngclick=”userCtrl.deleteUser()”>
or this?
<section ngif=”authCtrl.isAdmin” >
{{userCtrl.user.confidentialData}}
</section>
59. @carlobonamico#devoxxuk
Security is up to the server
Even in SPAs, Authorization is still up to the server:
Security controls
– checking authentication state
– checking profile and inferring permissions
– enabling privileged actions
– filtering confidential data
MUST be performed on the server
– in the REST / websocket endpoints
– locally in each service, or via filters/interceptors
Also, the same rule applies to input validation
60. @carlobonamico#devoxxuk
Usability is up to the client
But letting the user click on the button, invoking the service, and
only then displaying an error is not user friendly
UX is up to the client
– Front-End should have enough info to disable/hide the button
if the user is not authorized to click it
retrieve the permissions list from a REST service at logon
E.g. Permission check directives for Angular
<button ngclick=”postCtrl.delete()”
haspermission=”deletePost”>
permissions for Role-Based Access Control
61. @carlobonamico#devoxxuk
Checking the user profile
So, in each server endpoint, you should check
– valid authentication
– valid authorization profile which includes privileges for the
currently requested action / data
Example Blog application
if (subject.hasRole(“admin”))
//enable delete post
if (subject.hasRole(“editor”))
//enable modification of post
else
//only read data
What are
the problems
with this code?
62. @carlobonamico#devoxxuk
What if the rules change?
What if an auditor asks about
what an “editor” can do?
Real-world cases tend to be more complex!
63. @carlobonamico#devoxxuk
Role Based Access Control
Separating Role definition from Permission check
– In each service / action, code checks that the user has the relevant
permission
if (subject.hasPermission(“deletePost”))
– Role Definition lists all the permissions
e.g.
–Admin detelePost, updatePost→
–anonymous readPost→
Authorization system maps user/groups to list of roles
– and computes the “merged” set of permissions active for the valid user
user is both Admin & Editor
Permissions are
–changeSettings, deleteUser, addUser, deletePost,
modifyPost
64. @carlobonamico#devoxxuk
Hierarchical permission system
2-level: User → Role → Permissions
3-level: User → Groups → Roles → Permissions
Wildcard Permissions
– blog:deletePost
– blog:readPost
– blog:* means both
blog:readPost:12 → entity level permission
blog:readPost:* on all entities
see Apache Shiro
65. @carlobonamico#devoxxuk
Advantages
Permission check is
– focused, readable
– easy to implement
– easy to test
– rarely changes
Role definition is
– centralized
– easy to review
– easy to change
– as it tends to change often
Secure Design Principle
all parts of the system
need to perform security
checks
but
security check
implementation
should be centralized and
not “spread” in the system
66. @carlobonamico#devoxxuk
RBAC in a Single Page Application
Server-side Ingredients:
– Profile definition mapping Roles to Permissions
static file
db table
possibly cached
Identity server (e.g. OpenAM)
– API for checking permissions
Normally, some of this information is cached to ensure minimal
performance penalty
67. @carlobonamico#devoxxuk
Usable Secure UI in AngularJS
Ingredients:
– /authorization/profile/current REST endpoint
returns a Json
current user roles
merged list of all active permissions
On the Client
– Client Service wrapping the above
– Authorization/ProfileService storing the permission list
hasPermission(p) method
Call the service from
– Controller methods
– Routing callbacks
71. @carlobonamico#devoxxuk
Checking dependecies for vulns
On the client side
– http://retirejs.github.io/retire.js/
npm install g retire ; retire –path src
– also available as ZAP & mvn plugin
mvn com.h3xstream.retirejs:retirejsmaven
plugin:scan
On the server side
– OWASP Dependency Check
https://github.com/jeremylong/DependencyCheck
dependencycheck.sh app Testing out . scan
[path to jar files to be scanned]
mvn org.owasp:dependencycheckmaven
73. @carlobonamico#devoxxuk
A final word
People tend to view Security as “overhead”, not adding value to the project
The reality:
– if you know what to pay attention to, minimal additional costs
– also, in most cases, adding security just means following good design principles
if you separate well concerns, adding security is easy
– favor clarity of intent and code readability
– favor composition over inheritance
– test, test, test!
incorporate security checks in your tests
This lets software adapt more easily to both requirements & security changes
– easier to evolve incrementally & validating each step → see Continuous
Delivery
77. @carlobonamico#devoxxuk
Thank You for your attention
Interested?
– attend our Web Application Security trainings
– engage us for Design/Code Reviews, Vulnerability Assessments &
team mentoring
Read more on
– http://www.nispro.it
– http://www.slideshare.net/carlo.bonamico
Follow us on twitter
– @nis_srl @carlobonamico
updates on Security, AngularJS, Continuous Delivery
Contact me
– carlo.bonamico@gmail.com / carlo.bonamico@nispro.it