SlideShare uma empresa Scribd logo

Liferay hardening principles

Ambientia
Ambientia

Liferay Road Show 12.9.2013, Sampsa Sohlman, Liferay

Tecnologia
1 de 32
Baixar para ler offline
Hardening Principles Copyright © 2000-2013 Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print, duplicated, copied, sold, resold, or otherwise exploited for any commercial purpose without express written consent of Liferay, Inc.
Time for DEMO! Let's d0 s0me hacking Time for DEMO! Let's d0 s0me hacking
WHAT IS HARDENING? “Hardening refers to providing various means of protection in a computer system. Protection is provided in various layers and is often referred to as defense in depth. Protecting in layers means to protect at the host level, the application level, the operating system level, the user level, the physical level and all the sublevels in between. Each level requires a unique method of security.” - http://www.techopedia.com/definition/24833/hardening “In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability. A system has a larger vulnerability surface the more that it does; in principle a single-function system is more secure than a multipurpose one. Reducing available vectors of attack typically includes the removal of unnecessary software, unnecessary usernames or logins and the disabling or removal of unnecessary services.” - http://en.wikipedia.org/wiki/Hardening_(computing)
LAYERS OF HARDENING NETWORK SERVER APPLICATION
NETWORK Usually Liferay Portal's operating environment has been spread out to multiple servers.
NETWORK - HARDENING Think which connections are needed? Allow Liferay server should access only servers that is required. Database, Solr, Disk- share, Web-services, staging live server.. Liferay Portal should not have direct Internet connection Connections through HTTP server Connecting to internet through Proxy Image: wikipedia.org
SERVER Liferay running at server Image: wikipedia.org
SERVER - HARDENING Server administration (Unix, Linux) No root level access, only SUDO Administrators should use own personal user id's to administer Block unnecessary ports with Firewall Disable unwanted services All the applications and services should run with their respective operating system user account. Separate disk spaces for the system, application, data, logs and temp files chroot the Application server installation
APPLICATION Liferay specific hardening principles
APPLICATION – LIFERAY #1 Remove demo data! (if exists)
APPLICATION – LIFERAY #2 Disable and change default administrative accounts. Change the username / email / password portal.properties ( default value ) default.admin.screen.name=test default.admin.password=test default.admin.email.address.prefix=test portal.properties ( default value ) default.admin.screen.name=test default.admin.password=test default.admin.email.address.prefix=test
APPLICATION – LIFERAY #3 Keep you Liferay system patched!
APPLICATION – LIFERAY #4 Disable create account if registration is not required! portal.properties ( default value ) company.security.strangers=true # Also good to disable open.id auth open.id.auth.enabled=true portal.properties ( default value ) company.security.strangers=true # Also good to disable open.id auth open.id.auth.enabled=true
APPLICATION – LIFERAY #5 Make sure that password are stored securely! portal.properties ( default value ) passwords.encryption.algorithm=SHA ## SHOULD BE SSHA or better portal.properties ( default value ) passwords.encryption.algorithm=SHA ## SHOULD BE SSHA or better
APPLICATION – LIFERAY #6 Design permission scheme for Portal users! NEVER RUN PORTAL USER WITH ADMINISTRATION ROLE
APPLICATION – LIFERAY #7 Do not show portlets if user do not have permission! portal.properties ( default value ) layout.show.portlet.access.denied=true portal.properties ( default value ) layout.show.portlet.access.denied=true
APPLICATION – LIFERAY #8 Change authentication token / shared secret portal.properties ( default value ) auth.token.shared.secret=BAHyWOT9TbPB portal.properties ( default value ) auth.token.shared.secret=BAHyWOT9TbPB
APPLICATION – LIFERAY #9 Do not change touch p_auth and p_p_auth tokens settings! portal.properties ( default value ) auth.token.check.enabled=true portlet.add.default.resource.check.enabled=true portal.properties ( default value ) auth.token.check.enabled=true portlet.add.default.resource.check.enabled=true
APPLICATION – LIFERAY #10 Disabling autologin functionality that is not required! portal.properties ( default value ) ## SET NOT REQUIRED FALSE com.liferay.portal.servlet.filters.autologin.AutoLoginFilter=true com.liferay.portal.servlet.filters.sso.cas.CASFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=true com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=true com.liferay.portal.sharepoint.SharepointFilter=true ## REMOVE REQUIRED auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin... auto.login.ignore.hosts= auto.login.ignore.paths= portal.properties ( default value ) ## SET NOT REQUIRED FALSE com.liferay.portal.servlet.filters.autologin.AutoLoginFilter=true com.liferay.portal.servlet.filters.sso.cas.CASFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=true com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=true com.liferay.portal.sharepoint.SharepointFilter=true ## REMOVE REQUIRED auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin... auto.login.ignore.hosts= auto.login.ignore.paths=
APPLICATION – LIFERAY #11 HTTP / HTTPS ?
APPLICATION – LIFERAY #12 Disable Liferay remote services that are not used! portal.properties ( default value ) spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP spring.remoting.servlet.https.required=false tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP tunnel.servlet.https.required=false axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP axis.servlet.https.required=false atom.servlet.hosts.allowed=127.0.0.1,SERVER_IP atom.servlet.https.required=false webdav.servlet.hosts.allowed= webdav.servlet.https.required=false json.servlet.hosts.allowed= json.servlet.https.required=false jsonws.servlet.hosts.allowed= jsonws.servlet.https.required=false portal.properties ( default value ) spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP spring.remoting.servlet.https.required=false tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP tunnel.servlet.https.required=false axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP axis.servlet.https.required=false atom.servlet.hosts.allowed=127.0.0.1,SERVER_IP atom.servlet.https.required=false webdav.servlet.hosts.allowed= webdav.servlet.https.required=false json.servlet.hosts.allowed= json.servlet.https.required=false jsonws.servlet.hosts.allowed= jsonws.servlet.https.required=false
APPLICATION – LIFERAY #13 Disable core-portlets or just functionality that you are not ever going to use! StrutsActionHooks can be used to disable functionality Modify liferay-porlet-ext.xml with Ext-plugin: StrutsActionHooks can be used to disable functionality Modify liferay-porlet-ext.xml with Ext-plugin: liferay-portlet-ext.xml <portlet> <portlet-name>...</portlet-name> <include>false</include> </portlet> liferay-portlet-ext.xml <portlet> <portlet-name>...</portlet-name> <include>false</include> </portlet>
APPLICATION – LIFERAY #14 Change Company encryption key size and algorithm portal.properties ( default value ) company.encryption.key.size=56 company.encryption.algorithm=DES portal.properties ( default value ) company.encryption.key.size=56 company.encryption.algorithm=DES
APPLICATION – LIFERAY #15 Security Manager - PACL! portal.properties # # NOTE: This is default setting # portal.security.manager.strategy=smart portal.properties # # NOTE: This is default setting # portal.security.manager.strategy=smart liferay-plugin-package.properties security-manager-enabled=true # The make work easier liferay-plugin-package.properties security-manager-enabled=true # The make work easier
APPLICATION – LIFERAY #16 Antisamy Plugin
APPLICATION – LIFERAY #17 Audit Plugin!
APPLICATION – LIFERAY #18 Log rotation!
PLUGIN DEVELOPMENT OWASP 10 Use frameworks that helps you to avoid XSS. Use Liferay API's to escape where ever necessary HTMLUtil.escape (..) etc. Liferay tags, make sure that escapeModel=true Use Lifeay permission framework ServiceBuilder: Remember to write permission checks in the remote services Support Security Manager / PACL!
RECOVERING! Make disaster recovery plan Step by step instructions to rebuild new system How to buildup system again from backups? How long time this will take? Test the plan!
WHAT ELSE? Liferay portal is only one component of your Liferay installation. Give a hardening though also to: Http server Apache: https://www.google.fi/search?q=hardening+apache2 Application server Tomcat: https://www.owasp.org/index.php/Securing_tomcat Database MySql: https://www.google.fi/search?q=hardening+mysql Other services
Thanks guys! Questions!

Recomendados

Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Amazon Web Services Korea
 
AWS-Architecture-Icons-Deck_For-Dark-BG_04282023.pptx
AWS-Architecture-Icons-Deck_For-Dark-BG_04282023.pptxAWS-Architecture-Icons-Deck_For-Dark-BG_04282023.pptx
AWS-Architecture-Icons-Deck_For-Dark-BG_04282023.pptxNabilMECHERI
 
Introduction to Web Technology Stacks
Introduction to Web Technology StacksIntroduction to Web Technology Stacks
Introduction to Web Technology StacksPrakarsh -
 
데브시스터즈 데이터 레이크 구축 이야기 : Data Lake architecture case study (박주홍 데이터 분석 및 인프라 팀...
데브시스터즈 데이터 레이크 구축 이야기 : Data Lake architecture case study (박주홍 데이터 분석 및 인프라 팀...데브시스터즈 데이터 레이크 구축 이야기 : Data Lake architecture case study (박주홍 데이터 분석 및 인프라 팀...
데브시스터즈 데이터 레이크 구축 이야기 : Data Lake architecture case study (박주홍 데이터 분석 및 인프라 팀...Amazon Web Services Korea
 
BDA301 An Introduction to Amazon Rekognition
BDA301 An Introduction to Amazon RekognitionBDA301 An Introduction to Amazon Rekognition
BDA301 An Introduction to Amazon RekognitionAmazon Web Services
 
Azure Redis Cache
Azure Redis CacheAzure Redis Cache
Azure Redis CacheChourouk HJAIEJ
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...Jérôme Petazzoni
 
Migrate an existing application RESTful API’s to GraphQL using AWS Amplify an...
Migrate an existing application RESTful API’s to GraphQL using AWS Amplify an...Migrate an existing application RESTful API’s to GraphQL using AWS Amplify an...
Migrate an existing application RESTful API’s to GraphQL using AWS Amplify an...Amazon Web Services
 

Recomendados

Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Amazon Web Services Korea
 
AWS-Architecture-Icons-Deck_For-Dark-BG_04282023.pptx
AWS-Architecture-Icons-Deck_For-Dark-BG_04282023.pptxAWS-Architecture-Icons-Deck_For-Dark-BG_04282023.pptx
AWS-Architecture-Icons-Deck_For-Dark-BG_04282023.pptxNabilMECHERI
 
Introduction to Web Technology Stacks
Introduction to Web Technology StacksIntroduction to Web Technology Stacks
Introduction to Web Technology StacksPrakarsh -
 
데브시스터즈 데이터 레이크 구축 이야기 : Data Lake architecture case study (박주홍 데이터 분석 및 인프라 팀...
데브시스터즈 데이터 레이크 구축 이야기 : Data Lake architecture case study (박주홍 데이터 분석 및 인프라 팀...데브시스터즈 데이터 레이크 구축 이야기 : Data Lake architecture case study (박주홍 데이터 분석 및 인프라 팀...
데브시스터즈 데이터 레이크 구축 이야기 : Data Lake architecture case study (박주홍 데이터 분석 및 인프라 팀...Amazon Web Services Korea
 
BDA301 An Introduction to Amazon Rekognition
BDA301 An Introduction to Amazon RekognitionBDA301 An Introduction to Amazon Rekognition
BDA301 An Introduction to Amazon RekognitionAmazon Web Services
 
Azure Redis Cache
Azure Redis CacheAzure Redis Cache
Azure Redis CacheChourouk HJAIEJ
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...Jérôme Petazzoni
 
Migrate an existing application RESTful API’s to GraphQL using AWS Amplify an...
Migrate an existing application RESTful API’s to GraphQL using AWS Amplify an...Migrate an existing application RESTful API’s to GraphQL using AWS Amplify an...
Migrate an existing application RESTful API’s to GraphQL using AWS Amplify an...Amazon Web Services
 
KB국민은행은 시작했다 -  쉽고 빠른 클라우드 거버넌스 적용 전략 - 강병억 AWS 솔루션즈 아키텍트 / 장강홍 클라우드플랫폼단 차장, ...
KB국민은행은 시작했다 -  쉽고 빠른 클라우드 거버넌스 적용 전략 - 강병억 AWS 솔루션즈 아키텍트 / 장강홍 클라우드플랫폼단 차장, ...KB국민은행은 시작했다 -  쉽고 빠른 클라우드 거버넌스 적용 전략 - 강병억 AWS 솔루션즈 아키텍트 / 장강홍 클라우드플랫폼단 차장, ...
KB국민은행은 시작했다 -  쉽고 빠른 클라우드 거버넌스 적용 전략 - 강병억 AWS 솔루션즈 아키텍트 / 장강홍 클라우드플랫폼단 차장, ...Amazon Web Services Korea
 
Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...
Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...
Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...Amazon Web Services Korea
 
A Serverless Journey: AWS Lambda Under the Hood (SRV409-R1) - AWS re:Invent 2018
A Serverless Journey: AWS Lambda Under the Hood (SRV409-R1) - AWS re:Invent 2018A Serverless Journey: AWS Lambda Under the Hood (SRV409-R1) - AWS re:Invent 2018
A Serverless Journey: AWS Lambda Under the Hood (SRV409-R1) - AWS re:Invent 2018Amazon Web Services
 
AWS Amplify를 통한 손쉬운 모바일 애플리케이션 개발하기 - 김필중 솔루션즈 아키텍트, AWS :: AWS Summit Seoul ...
AWS Amplify를 통한 손쉬운 모바일 애플리케이션 개발하기 - 김필중 솔루션즈 아키텍트, AWS :: AWS Summit Seoul ...AWS Amplify를 통한 손쉬운 모바일 애플리케이션 개발하기 - 김필중 솔루션즈 아키텍트, AWS :: AWS Summit Seoul ...
AWS Amplify를 통한 손쉬운 모바일 애플리케이션 개발하기 - 김필중 솔루션즈 아키텍트, AWS :: AWS Summit Seoul ...Amazon Web Services Korea
 
[AWS Dev Day] 실습워크샵 | Amazon EKS 핸즈온 워크샵
[AWS Dev Day] 실습워크샵 | Amazon EKS 핸즈온 워크샵 [AWS Dev Day] 실습워크샵 | Amazon EKS 핸즈온 워크샵
[AWS Dev Day] 실습워크샵 | Amazon EKS 핸즈온 워크샵Amazon Web Services Korea
 
Amazon Personalize 개인화 추천 모델 만들기::김태수, 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나
Amazon Personalize 개인화 추천 모델 만들기::김태수, 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나Amazon Personalize 개인화 추천 모델 만들기::김태수, 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나
Amazon Personalize 개인화 추천 모델 만들기::김태수, 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나Amazon Web Services Korea
 
Deep Dive - DynamoDB
Deep Dive - DynamoDBDeep Dive - DynamoDB
Deep Dive - DynamoDBAmazon Web Services
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018Amazon Web Services Korea
 
글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)
글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)
글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)Amazon Web Services Korea
 
LUIS and Bots
LUIS and BotsLUIS and Bots
LUIS and BotsDaniel Toomey
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOpsShiva Narayanaswamy
 
ElastiCache Deep Dive: Design Patterns for In-Memory Data Stores (DAT302-R1) ...
ElastiCache Deep Dive: Design Patterns for In-Memory Data Stores (DAT302-R1) ...ElastiCache Deep Dive: Design Patterns for In-Memory Data Stores (DAT302-R1) ...
ElastiCache Deep Dive: Design Patterns for In-Memory Data Stores (DAT302-R1) ...Amazon Web Services
 
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...Amazon Web Services Korea
 
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series Amazon Web Services Korea
 
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용Amazon Web Services Korea
 
Amazon QLDB를 통한 원장 기반 운전 면허 검증 서비스 구현 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon QLDB를 통한 원장 기반 운전 면허 검증 서비스 구현 - 윤석찬 :: AWS Unboxing 온라인 세미나Amazon QLDB를 통한 원장 기반 운전 면허 검증 서비스 구현 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon QLDB를 통한 원장 기반 운전 면허 검증 서비스 구현 - 윤석찬 :: AWS Unboxing 온라인 세미나Amazon Web Services Korea
 
Deep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line InterfaceDeep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line InterfaceAmazon Web Services
 
갤럭시 규모의 인공지능 서비스를 위한 AWS 데이터베이스 아키텍처 - 김상필 솔루션 아키텍트 매니저, AWS / 김정환 데브옵스 엔지니어,...
갤럭시 규모의 인공지능 서비스를 위한 AWS 데이터베이스 아키텍처 - 김상필 솔루션 아키텍트 매니저, AWS / 김정환 데브옵스 엔지니어,...갤럭시 규모의 인공지능 서비스를 위한 AWS 데이터베이스 아키텍처 - 김상필 솔루션 아키텍트 매니저, AWS / 김정환 데브옵스 엔지니어,...
갤럭시 규모의 인공지능 서비스를 위한 AWS 데이터베이스 아키텍처 - 김상필 솔루션 아키텍트 매니저, AWS / 김정환 데브옵스 엔지니어,...Amazon Web Services Korea
 
Amazon Athena Capabilities and Use Cases Overview
Amazon Athena Capabilities and Use Cases Overview Amazon Athena Capabilities and Use Cases Overview
Amazon Athena Capabilities and Use Cases Overview Amazon Web Services
 
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik HarabiEclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik HarabiRafik HARABI
 
Liferay on docker
Liferay on dockerLiferay on docker
Liferay on dockerGeeta Raghu Vamsi Kotipalli
 

Mais conteúdo relacionado

Mais procurados

KB국민은행은 시작했다 -  쉽고 빠른 클라우드 거버넌스 적용 전략 - 강병억 AWS 솔루션즈 아키텍트 / 장강홍 클라우드플랫폼단 차장, ...
KB국민은행은 시작했다 -  쉽고 빠른 클라우드 거버넌스 적용 전략 - 강병억 AWS 솔루션즈 아키텍트 / 장강홍 클라우드플랫폼단 차장, ...KB국민은행은 시작했다 -  쉽고 빠른 클라우드 거버넌스 적용 전략 - 강병억 AWS 솔루션즈 아키텍트 / 장강홍 클라우드플랫폼단 차장, ...
KB국민은행은 시작했다 -  쉽고 빠른 클라우드 거버넌스 적용 전략 - 강병억 AWS 솔루션즈 아키텍트 / 장강홍 클라우드플랫폼단 차장, ...Amazon Web Services Korea
 
Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...
Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...
Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...Amazon Web Services Korea
 
A Serverless Journey: AWS Lambda Under the Hood (SRV409-R1) - AWS re:Invent 2018
A Serverless Journey: AWS Lambda Under the Hood (SRV409-R1) - AWS re:Invent 2018A Serverless Journey: AWS Lambda Under the Hood (SRV409-R1) - AWS re:Invent 2018
A Serverless Journey: AWS Lambda Under the Hood (SRV409-R1) - AWS re:Invent 2018Amazon Web Services
 
AWS Amplify를 통한 손쉬운 모바일 애플리케이션 개발하기 - 김필중 솔루션즈 아키텍트, AWS :: AWS Summit Seoul ...
AWS Amplify를 통한 손쉬운 모바일 애플리케이션 개발하기 - 김필중 솔루션즈 아키텍트, AWS :: AWS Summit Seoul ...AWS Amplify를 통한 손쉬운 모바일 애플리케이션 개발하기 - 김필중 솔루션즈 아키텍트, AWS :: AWS Summit Seoul ...
AWS Amplify를 통한 손쉬운 모바일 애플리케이션 개발하기 - 김필중 솔루션즈 아키텍트, AWS :: AWS Summit Seoul ...Amazon Web Services Korea
 
[AWS Dev Day] 실습워크샵 | Amazon EKS 핸즈온 워크샵
[AWS Dev Day] 실습워크샵 | Amazon EKS 핸즈온 워크샵 [AWS Dev Day] 실습워크샵 | Amazon EKS 핸즈온 워크샵
[AWS Dev Day] 실습워크샵 | Amazon EKS 핸즈온 워크샵Amazon Web Services Korea
 
Amazon Personalize 개인화 추천 모델 만들기::김태수, 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나
Amazon Personalize 개인화 추천 모델 만들기::김태수, 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나Amazon Personalize 개인화 추천 모델 만들기::김태수, 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나
Amazon Personalize 개인화 추천 모델 만들기::김태수, 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나Amazon Web Services Korea
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018Amazon Web Services Korea
 
글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)
글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)
글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)Amazon Web Services Korea
 
ElastiCache Deep Dive: Design Patterns for In-Memory Data Stores (DAT302-R1) ...
ElastiCache Deep Dive: Design Patterns for In-Memory Data Stores (DAT302-R1) ...ElastiCache Deep Dive: Design Patterns for In-Memory Data Stores (DAT302-R1) ...
ElastiCache Deep Dive: Design Patterns for In-Memory Data Stores (DAT302-R1) ...Amazon Web Services
 
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...Amazon Web Services Korea
 
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series Amazon Web Services Korea
 
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용Amazon Web Services Korea
 
Amazon QLDB를 통한 원장 기반 운전 면허 검증 서비스 구현 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon QLDB를 통한 원장 기반 운전 면허 검증 서비스 구현 - 윤석찬 :: AWS Unboxing 온라인 세미나Amazon QLDB를 통한 원장 기반 운전 면허 검증 서비스 구현 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon QLDB를 통한 원장 기반 운전 면허 검증 서비스 구현 - 윤석찬 :: AWS Unboxing 온라인 세미나Amazon Web Services Korea
 
Deep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line InterfaceDeep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line InterfaceAmazon Web Services
 
갤럭시 규모의 인공지능 서비스를 위한 AWS 데이터베이스 아키텍처 - 김상필 솔루션 아키텍트 매니저, AWS / 김정환 데브옵스 엔지니어,...
갤럭시 규모의 인공지능 서비스를 위한 AWS 데이터베이스 아키텍처 - 김상필 솔루션 아키텍트 매니저, AWS / 김정환 데브옵스 엔지니어,...갤럭시 규모의 인공지능 서비스를 위한 AWS 데이터베이스 아키텍처 - 김상필 솔루션 아키텍트 매니저, AWS / 김정환 데브옵스 엔지니어,...
갤럭시 규모의 인공지능 서비스를 위한 AWS 데이터베이스 아키텍처 - 김상필 솔루션 아키텍트 매니저, AWS / 김정환 데브옵스 엔지니어,...Amazon Web Services Korea
 
Amazon Athena Capabilities and Use Cases Overview
Amazon Athena Capabilities and Use Cases Overview Amazon Athena Capabilities and Use Cases Overview
Amazon Athena Capabilities and Use Cases Overview Amazon Web Services
 

Mais procurados (20)

KB국민은행은 시작했다 -  쉽고 빠른 클라우드 거버넌스 적용 전략 - 강병억 AWS 솔루션즈 아키텍트 / 장강홍 클라우드플랫폼단 차장, ...
KB국민은행은 시작했다 -  쉽고 빠른 클라우드 거버넌스 적용 전략 - 강병억 AWS 솔루션즈 아키텍트 / 장강홍 클라우드플랫폼단 차장, ...KB국민은행은 시작했다 -  쉽고 빠른 클라우드 거버넌스 적용 전략 - 강병억 AWS 솔루션즈 아키텍트 / 장강홍 클라우드플랫폼단 차장, ...
KB국민은행은 시작했다 -  쉽고 빠른 클라우드 거버넌스 적용 전략 - 강병억 AWS 솔루션즈 아키텍트 / 장강홍 클라우드플랫폼단 차장, ...
 
Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...
Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...
Amazon SageMaker 모델 빌딩 파이프라인 소개::이유동, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스...
 
A Serverless Journey: AWS Lambda Under the Hood (SRV409-R1) - AWS re:Invent 2018
A Serverless Journey: AWS Lambda Under the Hood (SRV409-R1) - AWS re:Invent 2018A Serverless Journey: AWS Lambda Under the Hood (SRV409-R1) - AWS re:Invent 2018
A Serverless Journey: AWS Lambda Under the Hood (SRV409-R1) - AWS re:Invent 2018
 
AWS Amplify를 통한 손쉬운 모바일 애플리케이션 개발하기 - 김필중 솔루션즈 아키텍트, AWS :: AWS Summit Seoul ...
AWS Amplify를 통한 손쉬운 모바일 애플리케이션 개발하기 - 김필중 솔루션즈 아키텍트, AWS :: AWS Summit Seoul ...AWS Amplify를 통한 손쉬운 모바일 애플리케이션 개발하기 - 김필중 솔루션즈 아키텍트, AWS :: AWS Summit Seoul ...
AWS Amplify를 통한 손쉬운 모바일 애플리케이션 개발하기 - 김필중 솔루션즈 아키텍트, AWS :: AWS Summit Seoul ...
 
[AWS Dev Day] 실습워크샵 | Amazon EKS 핸즈온 워크샵
[AWS Dev Day] 실습워크샵 | Amazon EKS 핸즈온 워크샵 [AWS Dev Day] 실습워크샵 | Amazon EKS 핸즈온 워크샵
[AWS Dev Day] 실습워크샵 | Amazon EKS 핸즈온 워크샵
 
Amazon Personalize 개인화 추천 모델 만들기::김태수, 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나
Amazon Personalize 개인화 추천 모델 만들기::김태수, 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나Amazon Personalize 개인화 추천 모델 만들기::김태수, 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나
Amazon Personalize 개인화 추천 모델 만들기::김태수, 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나
 
Deep Dive - DynamoDB
Deep Dive - DynamoDBDeep Dive - DynamoDB
Deep Dive - DynamoDB
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
 
글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)
글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)
글로벌 기업들의 효과적인 데이터 분석을 위한 Data Lake 구축 및 분석 사례 - 김준형 (AWS 솔루션즈 아키텍트)
 
LUIS and Bots
LUIS and BotsLUIS and Bots
LUIS and Bots
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOps
 
ElastiCache Deep Dive: Design Patterns for In-Memory Data Stores (DAT302-R1) ...
ElastiCache Deep Dive: Design Patterns for In-Memory Data Stores (DAT302-R1) ...ElastiCache Deep Dive: Design Patterns for In-Memory Data Stores (DAT302-R1) ...
ElastiCache Deep Dive: Design Patterns for In-Memory Data Stores (DAT302-R1) ...
 
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
 
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
 
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용
 
Amazon QLDB를 통한 원장 기반 운전 면허 검증 서비스 구현 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon QLDB를 통한 원장 기반 운전 면허 검증 서비스 구현 - 윤석찬 :: AWS Unboxing 온라인 세미나Amazon QLDB를 통한 원장 기반 운전 면허 검증 서비스 구현 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon QLDB를 통한 원장 기반 운전 면허 검증 서비스 구현 - 윤석찬 :: AWS Unboxing 온라인 세미나
 
Deep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line InterfaceDeep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line Interface
 
갤럭시 규모의 인공지능 서비스를 위한 AWS 데이터베이스 아키텍처 - 김상필 솔루션 아키텍트 매니저, AWS / 김정환 데브옵스 엔지니어,...
갤럭시 규모의 인공지능 서비스를 위한 AWS 데이터베이스 아키텍처 - 김상필 솔루션 아키텍트 매니저, AWS / 김정환 데브옵스 엔지니어,...갤럭시 규모의 인공지능 서비스를 위한 AWS 데이터베이스 아키텍처 - 김상필 솔루션 아키텍트 매니저, AWS / 김정환 데브옵스 엔지니어,...
갤럭시 규모의 인공지능 서비스를 위한 AWS 데이터베이스 아키텍처 - 김상필 솔루션 아키텍트 매니저, AWS / 김정환 데브옵스 엔지니어,...
 
Amazon Athena Capabilities and Use Cases Overview
Amazon Athena Capabilities and Use Cases Overview Amazon Athena Capabilities and Use Cases Overview
Amazon Athena Capabilities and Use Cases Overview
 

Destaque

EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik HarabiEclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik HarabiRafik HARABI
 
Black box security testing
Black box security testingBlack box security testing
Black box security testingAmbientia
 
Advanced liferay architecture clustering and high availability
Advanced liferay architecture clustering and high availabilityAdvanced liferay architecture clustering and high availability
Advanced liferay architecture clustering and high availabilityBordin Kijsirijareonchai
 
2011.10 Liferay European Symposium. Alistair Oldfield
2011.10 Liferay European Symposium. Alistair Oldfield2011.10 Liferay European Symposium. Alistair Oldfield
2011.10 Liferay European Symposium. Alistair OldfieldEmeldi Group
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabiRafik HARABI
 
Liferay Configuration and Customization
Liferay Configuration and CustomizationLiferay Configuration and Customization
Liferay Configuration and CustomizationThành Nguyễn
 
Microservices: The OSGi way A different vision on microservices
Microservices: The OSGi way A different vision on microservicesMicroservices: The OSGi way A different vision on microservices
Microservices: The OSGi way A different vision on microservicesMiguel Pastor
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...Amazon Web Services
 
La Migration As A Service - Offres Infrastructures Services
La Migration As A Service - Offres Infrastructures ServicesLa Migration As A Service - Offres Infrastructures Services
La Migration As A Service - Offres Infrastructures ServicesInetum
 
Book référence Gfi - Liferay 2016
Book référence Gfi - Liferay 2016Book référence Gfi - Liferay 2016
Book référence Gfi - Liferay 2016Inetum
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 

Destaque (14)

EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik HarabiEclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
EclipseCon Europe 2015 - liferay modularity patterns using OSGi -Rafik Harabi
 
Liferay on docker
Liferay on dockerLiferay on docker
Liferay on docker
 
Black box security testing
Black box security testingBlack box security testing
Black box security testing
 
Advanced liferay architecture clustering and high availability
Advanced liferay architecture clustering and high availabilityAdvanced liferay architecture clustering and high availability
Advanced liferay architecture clustering and high availability
 
2011.10 Liferay European Symposium. Alistair Oldfield
2011.10 Liferay European Symposium. Alistair Oldfield2011.10 Liferay European Symposium. Alistair Oldfield
2011.10 Liferay European Symposium. Alistair Oldfield
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi
 
Liferay Configuration and Customization
Liferay Configuration and CustomizationLiferay Configuration and Customization
Liferay Configuration and Customization
 
Polyglot
PolyglotPolyglot
Polyglot
 
Microservices: The OSGi way A different vision on microservices
Microservices: The OSGi way A different vision on microservicesMicroservices: The OSGi way A different vision on microservices
Microservices: The OSGi way A different vision on microservices
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
 
La Migration As A Service - Offres Infrastructures Services
La Migration As A Service - Offres Infrastructures ServicesLa Migration As A Service - Offres Infrastructures Services
La Migration As A Service - Offres Infrastructures Services
 
Book référence Gfi - Liferay 2016
Book référence Gfi - Liferay 2016Book référence Gfi - Liferay 2016
Book référence Gfi - Liferay 2016
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 

Semelhante a Liferay hardening principles

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorunNimrod Levy
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copyNimrod Levy
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesYuji Kosuga
 
Android App Security Fundamentals
Android App Security FundamentalsAndroid App Security Fundamentals
Android App Security FundamentalsAndreaCioccarelli
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerablePrecisely
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
Cloud patterns applied
Cloud patterns appliedCloud patterns applied
Cloud patterns appliedLars Fronius
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Peter Souter
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 

Semelhante a Liferay hardening principles (20)

Rails Security
Rails SecurityRails Security
Rails Security
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorun
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copy
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation Vulnerabilities
 
Android App Security Fundamentals
Android App Security FundamentalsAndroid App Security Fundamentals
Android App Security Fundamentals
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Top Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i VulnerableTop Ten Settings that Leave your IBM i Vulnerable
Top Ten Settings that Leave your IBM i Vulnerable
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Cloud patterns applied
Cloud patterns appliedCloud patterns applied
Cloud patterns applied
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
 

Mais de Ambientia

Itms atlassian way-final-2017-10
Itms atlassian way-final-2017-10Itms atlassian way-final-2017-10
Itms atlassian way-final-2017-10Ambientia
 
Dev ops atlassianway-final-2017-10
Dev ops atlassianway-final-2017-10Dev ops atlassianway-final-2017-10
Dev ops atlassianway-final-2017-10Ambientia
 
Insight Asset Management for JIRA Service Desk
Insight Asset Management for JIRA Service DeskInsight Asset Management for JIRA Service Desk
Insight Asset Management for JIRA Service DeskAmbientia
 
APIen hallinnalla uutta liiketoimintaa
APIen hallinnalla uutta liiketoimintaaAPIen hallinnalla uutta liiketoimintaa
APIen hallinnalla uutta liiketoimintaaAmbientia
 
Miten API management toimii
Miten API management toimiiMiten API management toimii
Miten API management toimiiAmbientia
 
Tunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaa
Tunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaaTunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaa
Tunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaaAmbientia
 
OpenShift-webinaari 31.1. / Ambientian esitykset
OpenShift-webinaari 31.1. / Ambientian esityksetOpenShift-webinaari 31.1. / Ambientian esitykset
OpenShift-webinaari 31.1. / Ambientian esityksetAmbientia
 
ITSM & JIRA Service Desk
ITSM & JIRA Service DeskITSM & JIRA Service Desk
ITSM & JIRA Service DeskAmbientia
 
Ambientia Service Design -työpaja SYTYKE
Ambientia Service Design -työpaja SYTYKEAmbientia Service Design -työpaja SYTYKE
Ambientia Service Design -työpaja SYTYKEAmbientia
 
Liferayn rooli Valtorin palveluvalikoimassa
Liferayn rooli Valtorin palveluvalikoimassaLiferayn rooli Valtorin palveluvalikoimassa
Liferayn rooli Valtorin palveluvalikoimassaAmbientia
 
Digitaalinen asiakaskokemus ja palvelumuotoilu
Digitaalinen asiakaskokemus ja palvelumuotoiluDigitaalinen asiakaskokemus ja palvelumuotoilu
Digitaalinen asiakaskokemus ja palvelumuotoiluAmbientia
 
Liferay Audience Targeting
Liferay Audience TargetingLiferay Audience Targeting
Liferay Audience TargetingAmbientia
 
Case Procountor: Zephyr test tool deployment
Case Procountor: Zephyr test tool deploymentCase Procountor: Zephyr test tool deployment
Case Procountor: Zephyr test tool deploymentAmbientia
 
JIRA Portfolio
JIRA PortfolioJIRA Portfolio
JIRA PortfolioAmbientia
 
Case Containerships JIRA Service Desk
Case Containerships JIRA Service DeskCase Containerships JIRA Service Desk
Case Containerships JIRA Service DeskAmbientia
 
Liferay Road Show Sosiaali- ja terveysministeriö
Liferay Road Show Sosiaali- ja terveysministeriöLiferay Road Show Sosiaali- ja terveysministeriö
Liferay Road Show Sosiaali- ja terveysministeriöAmbientia
 
Liferay Road Show Responsiivinen suunnittelu
Liferay Road Show Responsiivinen suunnitteluLiferay Road Show Responsiivinen suunnittelu
Liferay Road Show Responsiivinen suunnitteluAmbientia
 
Liferay Road Show Linnunmaa LEX
Liferay Road Show Linnunmaa LEX Liferay Road Show Linnunmaa LEX
Liferay Road Show Linnunmaa LEXAmbientia
 
Liferay Road Show Rolf van der Steen
Liferay Road Show Rolf van der SteenLiferay Road Show Rolf van der Steen
Liferay Road Show Rolf van der SteenAmbientia
 

Mais de Ambientia (20)

Itms atlassian way-final-2017-10
Itms atlassian way-final-2017-10Itms atlassian way-final-2017-10
Itms atlassian way-final-2017-10
 
Dev ops atlassianway-final-2017-10
Dev ops atlassianway-final-2017-10Dev ops atlassianway-final-2017-10
Dev ops atlassianway-final-2017-10
 
Insight Asset Management for JIRA Service Desk
Insight Asset Management for JIRA Service DeskInsight Asset Management for JIRA Service Desk
Insight Asset Management for JIRA Service Desk
 
APIen hallinnalla uutta liiketoimintaa
APIen hallinnalla uutta liiketoimintaaAPIen hallinnalla uutta liiketoimintaa
APIen hallinnalla uutta liiketoimintaa
 
Miten API management toimii
Miten API management toimiiMiten API management toimii
Miten API management toimii
 
Tunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaa
Tunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaaTunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaa
Tunnistamalla asiakaspolut tehostat asiakaspalvelusi toimintaa
 
OpenShift-webinaari 31.1. / Ambientian esitykset
OpenShift-webinaari 31.1. / Ambientian esityksetOpenShift-webinaari 31.1. / Ambientian esitykset
OpenShift-webinaari 31.1. / Ambientian esitykset
 
ITSM & JIRA Service Desk
ITSM & JIRA Service DeskITSM & JIRA Service Desk
ITSM & JIRA Service Desk
 
Ambientia Service Design -työpaja SYTYKE
Ambientia Service Design -työpaja SYTYKEAmbientia Service Design -työpaja SYTYKE
Ambientia Service Design -työpaja SYTYKE
 
Liferayn rooli Valtorin palveluvalikoimassa
Liferayn rooli Valtorin palveluvalikoimassaLiferayn rooli Valtorin palveluvalikoimassa
Liferayn rooli Valtorin palveluvalikoimassa
 
Digitaalinen asiakaskokemus ja palvelumuotoilu
Digitaalinen asiakaskokemus ja palvelumuotoiluDigitaalinen asiakaskokemus ja palvelumuotoilu
Digitaalinen asiakaskokemus ja palvelumuotoilu
 
Liferay Audience Targeting
Liferay Audience TargetingLiferay Audience Targeting
Liferay Audience Targeting
 
Case Procountor: Zephyr test tool deployment
Case Procountor: Zephyr test tool deploymentCase Procountor: Zephyr test tool deployment
Case Procountor: Zephyr test tool deployment
 
JIRA Portfolio
JIRA PortfolioJIRA Portfolio
JIRA Portfolio
 
Case Containerships JIRA Service Desk
Case Containerships JIRA Service DeskCase Containerships JIRA Service Desk
Case Containerships JIRA Service Desk
 
Jira 7
Jira 7Jira 7
Jira 7
 
Liferay Road Show Sosiaali- ja terveysministeriö
Liferay Road Show Sosiaali- ja terveysministeriöLiferay Road Show Sosiaali- ja terveysministeriö
Liferay Road Show Sosiaali- ja terveysministeriö
 
Liferay Road Show Responsiivinen suunnittelu
Liferay Road Show Responsiivinen suunnitteluLiferay Road Show Responsiivinen suunnittelu
Liferay Road Show Responsiivinen suunnittelu
 
Liferay Road Show Linnunmaa LEX
Liferay Road Show Linnunmaa LEX Liferay Road Show Linnunmaa LEX
Liferay Road Show Linnunmaa LEX
 
Liferay Road Show Rolf van der Steen
Liferay Road Show Rolf van der SteenLiferay Road Show Rolf van der Steen
Liferay Road Show Rolf van der Steen
 

Último

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Último (20)

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Liferay hardening principles

  • 1. Hardening Principles Copyright © 2000-2013 Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print, duplicated, copied, sold, resold, or otherwise exploited for any commercial purpose without express written consent of Liferay, Inc.
  • 2.
  • 3. Time for DEMO! Let's d0 s0me hacking Time for DEMO! Let's d0 s0me hacking
  • 4. WHAT IS HARDENING? “Hardening refers to providing various means of protection in a computer system. Protection is provided in various layers and is often referred to as defense in depth. Protecting in layers means to protect at the host level, the application level, the operating system level, the user level, the physical level and all the sublevels in between. Each level requires a unique method of security.” - http://www.techopedia.com/definition/24833/hardening “In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability. A system has a larger vulnerability surface the more that it does; in principle a single-function system is more secure than a multipurpose one. Reducing available vectors of attack typically includes the removal of unnecessary software, unnecessary usernames or logins and the disabling or removal of unnecessary services.” - http://en.wikipedia.org/wiki/Hardening_(computing)
  • 6. NETWORK Usually Liferay Portal's operating environment has been spread out to multiple servers.
  • 7. NETWORK - HARDENING Think which connections are needed? Allow Liferay server should access only servers that is required. Database, Solr, Disk- share, Web-services, staging live server.. Liferay Portal should not have direct Internet connection Connections through HTTP server Connecting to internet through Proxy Image: wikipedia.org
  • 8. SERVER Liferay running at server Image: wikipedia.org
  • 9. SERVER - HARDENING Server administration (Unix, Linux) No root level access, only SUDO Administrators should use own personal user id's to administer Block unnecessary ports with Firewall Disable unwanted services All the applications and services should run with their respective operating system user account. Separate disk spaces for the system, application, data, logs and temp files chroot the Application server installation
  • 11. APPLICATION – LIFERAY #1 Remove demo data! (if exists)
  • 12. APPLICATION – LIFERAY #2 Disable and change default administrative accounts. Change the username / email / password portal.properties ( default value ) default.admin.screen.name=test default.admin.password=test default.admin.email.address.prefix=test portal.properties ( default value ) default.admin.screen.name=test default.admin.password=test default.admin.email.address.prefix=test
  • 13. APPLICATION – LIFERAY #3 Keep you Liferay system patched!
  • 14. APPLICATION – LIFERAY #4 Disable create account if registration is not required! portal.properties ( default value ) company.security.strangers=true # Also good to disable open.id auth open.id.auth.enabled=true portal.properties ( default value ) company.security.strangers=true # Also good to disable open.id auth open.id.auth.enabled=true
  • 15. APPLICATION – LIFERAY #5 Make sure that password are stored securely! portal.properties ( default value ) passwords.encryption.algorithm=SHA ## SHOULD BE SSHA or better portal.properties ( default value ) passwords.encryption.algorithm=SHA ## SHOULD BE SSHA or better
  • 16. APPLICATION – LIFERAY #6 Design permission scheme for Portal users! NEVER RUN PORTAL USER WITH ADMINISTRATION ROLE
  • 17. APPLICATION – LIFERAY #7 Do not show portlets if user do not have permission! portal.properties ( default value ) layout.show.portlet.access.denied=true portal.properties ( default value ) layout.show.portlet.access.denied=true
  • 18. APPLICATION – LIFERAY #8 Change authentication token / shared secret portal.properties ( default value ) auth.token.shared.secret=BAHyWOT9TbPB portal.properties ( default value ) auth.token.shared.secret=BAHyWOT9TbPB
  • 19. APPLICATION – LIFERAY #9 Do not change touch p_auth and p_p_auth tokens settings! portal.properties ( default value ) auth.token.check.enabled=true portlet.add.default.resource.check.enabled=true portal.properties ( default value ) auth.token.check.enabled=true portlet.add.default.resource.check.enabled=true
  • 20. APPLICATION – LIFERAY #10 Disabling autologin functionality that is not required! portal.properties ( default value ) ## SET NOT REQUIRED FALSE com.liferay.portal.servlet.filters.autologin.AutoLoginFilter=true com.liferay.portal.servlet.filters.sso.cas.CASFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=true com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=true com.liferay.portal.sharepoint.SharepointFilter=true ## REMOVE REQUIRED auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin... auto.login.ignore.hosts= auto.login.ignore.paths= portal.properties ( default value ) ## SET NOT REQUIRED FALSE com.liferay.portal.servlet.filters.autologin.AutoLoginFilter=true com.liferay.portal.servlet.filters.sso.cas.CASFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=true com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=true com.liferay.portal.sharepoint.SharepointFilter=true ## REMOVE REQUIRED auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin... auto.login.ignore.hosts= auto.login.ignore.paths=
  • 21. APPLICATION – LIFERAY #11 HTTP / HTTPS ?
  • 22. APPLICATION – LIFERAY #12 Disable Liferay remote services that are not used! portal.properties ( default value ) spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP spring.remoting.servlet.https.required=false tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP tunnel.servlet.https.required=false axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP axis.servlet.https.required=false atom.servlet.hosts.allowed=127.0.0.1,SERVER_IP atom.servlet.https.required=false webdav.servlet.hosts.allowed= webdav.servlet.https.required=false json.servlet.hosts.allowed= json.servlet.https.required=false jsonws.servlet.hosts.allowed= jsonws.servlet.https.required=false portal.properties ( default value ) spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP spring.remoting.servlet.https.required=false tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP tunnel.servlet.https.required=false axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP axis.servlet.https.required=false atom.servlet.hosts.allowed=127.0.0.1,SERVER_IP atom.servlet.https.required=false webdav.servlet.hosts.allowed= webdav.servlet.https.required=false json.servlet.hosts.allowed= json.servlet.https.required=false jsonws.servlet.hosts.allowed= jsonws.servlet.https.required=false
  • 23. APPLICATION – LIFERAY #13 Disable core-portlets or just functionality that you are not ever going to use! StrutsActionHooks can be used to disable functionality Modify liferay-porlet-ext.xml with Ext-plugin: StrutsActionHooks can be used to disable functionality Modify liferay-porlet-ext.xml with Ext-plugin: liferay-portlet-ext.xml <portlet> <portlet-name>...</portlet-name> <include>false</include> </portlet> liferay-portlet-ext.xml <portlet> <portlet-name>...</portlet-name> <include>false</include> </portlet>
  • 24. APPLICATION – LIFERAY #14 Change Company encryption key size and algorithm portal.properties ( default value ) company.encryption.key.size=56 company.encryption.algorithm=DES portal.properties ( default value ) company.encryption.key.size=56 company.encryption.algorithm=DES
  • 25. APPLICATION – LIFERAY #15 Security Manager - PACL! portal.properties # # NOTE: This is default setting # portal.security.manager.strategy=smart portal.properties # # NOTE: This is default setting # portal.security.manager.strategy=smart liferay-plugin-package.properties security-manager-enabled=true # The make work easier liferay-plugin-package.properties security-manager-enabled=true # The make work easier
  • 26. APPLICATION – LIFERAY #16 Antisamy Plugin
  • 27. APPLICATION – LIFERAY #17 Audit Plugin!
  • 28. APPLICATION – LIFERAY #18 Log rotation!
  • 29. PLUGIN DEVELOPMENT OWASP 10 Use frameworks that helps you to avoid XSS. Use Liferay API's to escape where ever necessary HTMLUtil.escape (..) etc. Liferay tags, make sure that escapeModel=true Use Lifeay permission framework ServiceBuilder: Remember to write permission checks in the remote services Support Security Manager / PACL!
  • 30. RECOVERING! Make disaster recovery plan Step by step instructions to rebuild new system How to buildup system again from backups? How long time this will take? Test the plan!
  • 31. WHAT ELSE? Liferay portal is only one component of your Liferay installation. Give a hardening though also to: Http server Apache: https://www.google.fi/search?q=hardening+apache2 Application server Tomcat: https://www.owasp.org/index.php/Securing_tomcat Database MySql: https://www.google.fi/search?q=hardening+mysql Other services