Security of realtime Systems; old attacks, new tools

•Transferir como KEY, PDF•

0 gostou•477 visualizações

node.js, socket.io, express and other technologies are simply awesome for the real time web. They are enabling front end javascript developers to take their skills to the server. This does not come without a price. Adam will discuss his experiences and thoughts on securing real time systems built on some of these technologies, the talk hopes to promote positive discussion not finger pointing of how we as a community can avoid the pitfalls of the past and make the realtime web a safer place. Adam is the co-founder of nGenuity where he focuses on helping developers ship secure code.

Tecnologia Economia e finanças

Old Problems,
New Tools
Keeping It Realtime // 2011 // Adam Baldwin

Hi. I’m Adam

Keeping it Realtime // @adam_baldwin

Introduction

Co-Founder of nGenuity
Penetration Tester
evilpacket.net

Keeping it Realtime // @adam_baldwin

State of Things

Keeping it Realtime // @adam_baldwin

secure Defaults
Keeping it Realtime // @adam_baldwin

A security lesson: instead of
action and safe_action,
your API should be action
and unsafe_action.

Safe should be the default /
via @jezdez

Keeping it Realtime // @adam_baldwin

Better Examples
(docs that donʼt suck)

Keeping it Realtime // @adam_baldwin

Socket.io
Keeping it Realtime // @adam_baldwin

Set Origins by Default

Log Warnings

Better Examples

Keeping it Realtime // @adam_baldwin

Express, et al
Keeping it Realtime // @adam_baldwin

CSRF Protection by Default

Better Examples / Improved Boilerplate

Anti-Evil Headers™ on by Default

Keeping it Realtime // @adam_baldwin

Magical headers are magical.

X-FRAME-OPTIONS

Content Security Policy (CSP)

Keeping it Realtime // @adam_baldwin

Jade, et al
Keeping it Realtime // @adam_baldwin

If you fell asleep;
-Set socket.io origins
-Properly authorize sockets
-Use CSRF tokens
-Contextual Output encoding
-Do all this by default
-Write better docs

Keeping it Realtime // @adam_baldwin

Questions?
adam@ngenuity-is.com // @adam_baldwin

Mais conteúdo relacionado

Mais de Adam Baldwin

The Art of Identifying Vulnerabilities - CascadiaFest 2015

Adam Baldwin

Node Day - Node.js Security in the Enterprise

Adam Baldwin

Node Security Project - LXJS 2013

Adam Baldwin

Security First - Adam Baldwin

Adam Baldwin

EV1LSHA - Misadventures in the land of Lua

Adam Baldwin

Writing an (in)secure webapp in 3 easy steps

Adam Baldwin

Pony Pwning Djangocon 2010

Adam Baldwin

Mais de Adam Baldwin (7)

The Art of Identifying Vulnerabilities - CascadiaFest 2015

Node Day - Node.js Security in the Enterprise

Node Security Project - LXJS 2013

Security First - Adam Baldwin

EV1LSHA - Misadventures in the land of Lua

Writing an (in)secure webapp in 3 easy steps

Pony Pwning Djangocon 2010

Último

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Navi Mumbai Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Navi Mumbai Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Navi Mumbai Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

MINDCTI Revenue Release Quarter One 2024

MIND CTI

A Beginners Guide to Building a RAG App Using Open Source Milvus

Zilliz

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Security of realtime Systems; old attacks, new tools

1. Old Problems, New Tools Keeping It Realtime // 2011 // Adam Baldwin

2. Hi. I’m Adam Keeping it Realtime // @adam_baldwin

3. Keeping it Realtime // @adam_baldwin

4. Introduction Co-Founder of nGenuity Penetration Tester evilpacket.net Keeping it Realtime // @adam_baldwin

5. Keeping it Realtime // @adam_baldwin

6. State of Things Keeping it Realtime // @adam_baldwin

7. secure Defaults Keeping it Realtime // @adam_baldwin

8. A security lesson: instead of action and safe_action, your API should be action and unsafe_action. Safe should be the default / via @jezdez Keeping it Realtime // @adam_baldwin

9. Better Examples (docs that donʼt suck) Keeping it Realtime // @adam_baldwin

10. Socket.io Keeping it Realtime // @adam_baldwin

11. Set Origins by Default Log Warnings Better Examples Keeping it Realtime // @adam_baldwin

12. Express, et al Keeping it Realtime // @adam_baldwin

13. CSRF Protection by Default Better Examples / Improved Boilerplate Anti-Evil Headers™ on by Default Keeping it Realtime // @adam_baldwin

14. Magical headers are magical. X-FRAME-OPTIONS Content Security Policy (CSP) Keeping it Realtime // @adam_baldwin

15. Jade, et al Keeping it Realtime // @adam_baldwin

16. &<>‘“ Keeping it Realtime // @adam_baldwin

17. If you fell asleep; -Set socket.io origins -Properly authorize sockets -Use CSRF tokens -Contextual Output encoding -Do all this by default -Write better docs Keeping it Realtime // @adam_baldwin

18. Keeping it Realtime // @adam_baldwin

19. Questions? adam@ngenuity-is.com // @adam_baldwin

Security of realtime Systems; old attacks, new tools

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Adam Baldwin

Mais de Adam Baldwin (7)

Último

Último (20)

Security of realtime Systems; old attacks, new tools

Notas do Editor