Webinar recording here: https://www.heroku.com/tech-sessions/creating-secure-web-apps
Secure internet communication is one of the most important issues facing technology practitioners these days. But for many software development teams, it’s an afterthought. Almost every week there’s a new headline about web security: Google Chrome flagging non-HTTPS sites as insecure, Apple requiring iOS apps’ API communication to use HTTPS, and Google giving search ranking preference to HTTPS.
Join Josh Aas, Executive Director of Let's Encrypt, and Chris Castle, Developer Advocate from Heroku, as they take you on a quick tour of what you, as a developer, need to know about HTTPS today plus show you how Let's Encrypt and Heroku are making it easier than ever for all developers to add HTTPS to their web apps.
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
The slides from an overview presentation of how the Web, and Web security, have changed in the last few years. This talk has been given at various public and private venues. Get in touch if you want to invite me to your company or tech group!
Let's go HTTPS-only! - More Than Buying a Certificate
1) The document discusses various ways to secure a website or client's users, including getting an SSL certificate, setting up HTTPS, ensuring strong security practices with headers and configurations.
2) It describes letting's encrypt as a free and easy way to get SSL certificates with automated renewal, and quality testing services like QUALYS to check SSL configuration.
3) Additional security best practices discussed include HTTP headers like HSTS, CSP, and PKP to prevent vulnerabilities and protect against MITM attacks. Regular testing and integrating checks into development processes are recommended.
The document provides an overview of basic web security concepts including:
1. It defines common web terms like front-end, back-end, cookies, sessions, URLs, HTTP methods, headers and status codes.
2. It discusses how cookies and sessions are used to track users and maintain state on the web.
3. It covers potential information leaks from files like robots.txt, hidden files and directories as well as techniques for searching websites like Google hacking.
4. It introduces common web vulnerabilities like XSS, CSRF and discusses how attacks are carried out and potential impacts. It also notes some PHP quirks that could be exploited if not understood.
Guest lecture to Master of Information Security and Digital Forensics students at Auckland University of Technology (AUT) on the development of the MEGAchat Cloud application.
The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
This document discusses various HTTP security headers and the W3C Content Security Policy. It provides an overview of headers like X-Content-Type-Options, X-XSS-Protection, X-Frame-Options, cookies, HTTP Strict Transport Security (HSTS), and the Content Security Policy. It also demonstrates how to configure these headers and gives examples of policies for different browsers and sites.
This document discusses various HTTP security headers and the W3C Content Security Policy. It provides an overview of headers like X-Content-Type-Options, X-XSS-Protection, X-Frame-Options, cookies, HTTP Strict Transport Security (HSTS), and the Content Security Policy. It also demonstrates how to configure these headers and gives examples of policies for different browsers and sites.
Modern Web Apps should be focused, rich, and gorgeous, but they also need to be FAST. After all, being rich and beautiful isn't always enough!
With web apps, faster is always better; nobody will ever complain that your site is too fast!
This document discusses browser compatibility and strategies for supporting older browsers like Internet Explorer 6. It addresses common layout issues in IE6 like the double margin bug and float containers. It also provides techniques for conditional comments, CSS hacks, frameworks and tools. The document then covers new technologies like HTML5 video, geolocation, CSS3 features and strategies for mobile browsers.
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
When users use our sites, they put their faith in us. They trust we will keep their information from reaching others, believe we provided the information they see, and allow us to run (web) code on their devices. Using HTTPS to secure our conversations is a key part of maintaining this trust.
If that’s not motivation enough, the web’s giants are actively promoting HTTPS, requiring it for features such as HTTP2 & ServiceWorker, using it for search engine ranking and more. To make the most of the web, you need to use HTTPS.
This deck reviews what HTTPS is, discusses why you should prioritize using it, and cover some of the easiest (and most cost effective) steps to get started using HTTPS
This document provides information on secure coding practices for data protection. It discusses classifying data based on sensitivity, encrypting data at rest and in transit, implementing HTTPS securely, using certificate pinning and HTTP Strict Transport Security (HSTS). It also covers least privilege principles, avoiding data leakage, enforcing same-origin policy, and managing cross-origin access controls. The document is a training from an IT security consultant on best practices for secure coding.
1) The document discusses responsive video formats and delivery methods for different devices.
2) It covers video codecs like H.264 and VP8, as well as formats like MP4, WebM and OGG.
3) Adaptive streaming technologies like Apple's HLS and MPEG-DASH are presented as ways to deliver the most appropriate video quality based on a user's bandwidth and device capabilities.
This document summarizes a presentation on web application security and the OWASP Top 10. It discusses the motivation for securing web apps, common causes of data breaches, and an overview of the OWASP Top 10 project and the most critical web application security flaws. The presentation recommends ways to address these issues, such as keeping software updated, using automated scanning tools, and implementing input validation and authorization checks. Specific attacks covered include cross-site scripting, insecure direct object references, and broken authentication and session management.
Developer's Guide to JavaScript and Web Cryptography
The increasing capabilities and performance of the web platform allow for more feature-rich user experiences. How can JavaScript based applications utilize information security and cryptography principles? This session will explore the current state of JavaScript and Web Cryptography. We will review some basic concepts and definitions, discuss the role of TLS/SSL, show some working examples that apply cryptography to real-world use cases and take a peek at the upcoming W3C WebCryptoAPI. Code samples will use CryptoJS in the browser and the Node.js Crypto module on the server. An extended example will secure the popular TodoMVC project using PBKDF2 for key generation, HMAC for data integrity and AES for encryption.
Neil Walker from made Notable will discuss secure search, its past, impact and future. It was big news when Google first announced HTTPS as a ranking signal in August 2014, so what impact has this had for businesses, should brands and webmaster update to https and what tools and advise is needed to ensure a website meet Google’s guidelines.
This webinar will cover:
1. History of Https
2. The impact – Winners & Losers
3. Tools and advice to help you switch
4. The future of https as a ranking signal
Break data silos with real-time connectivity using Confluent Cloud Connectors
Connectors integrate Apache Kafka® with external data systems, enabling you to move away from a brittle spaghetti architecture to one that is more streamlined, secure, and future-proof. However, if your team still spends multiple dev cycles building and managing connectors using just open source Kafka Connect, it’s time to consider a faster and cost-effective alternative.
NBFC Software: Optimize Your Non-Banking Financial Company
NBFC Software: Optimize Your Non-Banking Financial Company
Enhance Your Financial Services with Comprehensive NBFC Software
NBFC software provides a complete solution for non-banking financial companies, streamlining banking and accounting functions to reduce operational costs. Our software is designed to meet the diverse needs of NBFCs, including investment banks, insurance companies, and hedge funds.
Key Features of NBFC Software:
Centralized Database: Facilitates inter-branch collaboration and smooth operations with a unified platform.
Automation: Simplifies loan lifecycle management and account maintenance, ensuring efficient delivery of financial services.
Customization: Highly customizable to fit specific business needs, offering flexibility in managing various loan types such as home loans, mortgage loans, personal loans, and more.
Security: Ensures safe and secure handling of financial transactions and sensitive data.
User-Friendly Interface: Designed to be intuitive and easy to use, reducing the learning curve for employees.
Cost-Effective: Reduces the need for additional manpower by automating tasks, making it a budget-friendly solution. Benefits of NBFC Software:
Go Paperless: Transition to a fully digital operation, eliminating offline work.
Transparency: Enables managers and executives to monitor various points of the banking process easily.
Defaulter Tracking: Helps track loan defaulters, maintaining a healthy loan management system.
Increased Accessibility: Cutting-edge technology increases the accessibility and usability of NBFC operations. Request a Demo Now!
Cultural Shifts: Embracing DevOps for Organizational Transformation
Mindfire Solutions specializes in DevOps services, facilitating digital transformation through streamlined software development and operational efficiency. Their expertise enhances collaboration, accelerates delivery cycles, and ensures scalability using cloud-native technologies. Mindfire Solutions empowers businesses to innovate rapidly and maintain competitive advantage in dynamic market landscapes.
In this talk, we will explore strategies to optimize the success rate of storing and retaining new information. We will discuss scientifically proven ideal learning intervals and content structures. Additionally, we will examine how to create an environment that improves our focus while you remain in the “flow”. Lastly we will also address the influence of AI on learning capabilities.
In the dynamic field of software development, this knowledge will empower you to accelerate your learning curve and support others in their learning journeys.
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdf
What do fleet managers do? What are their duties, responsibilities, and challenges? And what makes a fleet manager effective and successful? This blog answers all these questions.
introduction of Ansys software and basic and advance knowledge of modelling s...
Ansys Mechanical enables you to solve complex structural engineering problems and make better, faster design decisions. With the finite element analysis (FEA) solvers available in the suite, you can customize and automate solutions for your structural mechanics problems and parameterize them to analyze multiple design scenarios. Ansys Mechanical is a dynamic tool that has a complete range of analysis tools.
Software development... for all? (keynote at ICSOFT'2024)
Our world runs on software. It governs all major aspects of our life. It is an enabler for research and innovation, and is critical for business competitivity. Traditional software engineering techniques have achieved high effectiveness, but still may fall short on delivering software at the accelerated pace and with the increasing quality that future scenarios will require.
To attack this issue, some software paradigms raise the automation of software development via higher levels of abstraction through domain-specific languages (e.g., in model-driven engineering) and empowering non-professional developers with the possibility to build their own software (e.g., in low-code development approaches). In a software-demanding world, this is an attractive possibility, and perhaps -- paraphrasing Andy Warhol -- "in the future, everyone will be a developer for 15 minutes". However, to make this possible, methods are required to tweak languages to their context of use (crucial given the diversity of backgrounds and purposes), and the assistance to developers throughout the development process (especially critical for non-professionals).
In this keynote talk at ICSOFT'2024 I presented enabling techniques for this vision, supporting the creation of families of domain-specific languages, their adaptation to the usage context; and the augmentation of low-code environments with assistants and recommender systems to guide developers (professional or not) in the development process.
Explore the rapid development journey of TryBoxLang, completed in just 48 hours. This session delves into the innovative process behind creating TryBoxLang, a platform designed to showcase the capabilities of BoxLang by Ortus Solutions. Discover the challenges, strategies, and outcomes of this accelerated development effort, highlighting how TryBoxLang provides a practical introduction to BoxLang's features and benefits.
A Comparative Analysis of Functional and Non-Functional Testing.pdf
A robust software testing strategy encompassing functional and non-functional testing is fundamental for development teams. These twin pillars are essential for ensuring the success of your applications. But why are they so critical?
Functional testing rigorously examines the application's processes against predefined requirements, ensuring they align seamlessly. Conversely, non-functional testing evaluates performance and reliability under load, enhancing the end-user experience.
A captivating AI chatbot PowerPoint presentation is made with a striking backdrop in order to attract a wider audience. Select this template featuring several AI chatbot visuals to boost audience engagement and spontaneity. With the aid of this multi-colored template, you may make a compelling presentation and get extra bonuses. To easily elucidate your ideas, choose a typeface with vibrant colors. You can include your data regarding utilizing the chatbot methodology to the remaining half of the template.
Rails security: above and beyond the defaultsMatias Korhonen
- The document discusses securing Rails web applications by improving on the framework's default security settings.
- It emphasizes using HTTPS to encrypt traffic, securing certificates with tools like Let's Encrypt, and strengthening configurations using the Mozilla SSL Configuration Generator.
- Content Security Policies provide an added layer of security by restricting what content can be loaded from external sources, reducing vulnerabilities, though they require careful configuration.
- HTTP Public Key Pinning can lock users out if misconfigured, so caution is advised. Overall, the talk provides guidance on tightening security beyond Rails defaults.
HTTP cookie hijacking in the wild: security and privacy implicationsPriyanka Aash
The widespread demand for online privacy, also fueled by widely-publicized demonstrations of session hijacking attacks against popular websites (see Firesheep), has spearheaded the increasing deployment of HTTPS. However, many websites still avoid ubiquitous encryption due to performance or compatibility issues. The prevailing approach in these cases is to force critical functionality and sensitive data access over encrypted connections, while allowing more innocuous functionality to be accessed over HTTP. In practice, this approach is prone to flaws that can expose sensitive information or functionality to third parties. In this work, we conduct an in-depth assessment of a diverse set of major websites and explore what functionality and information is exposed to attackers that have hijacked a user's HTTP cookies. We identify a recurring pattern across websites with partially deployed HTTPS; service personalization inadvertently results in the exposure of private information. The separation of functionality across multiple cookies with different scopes and inter-dependencies further complicates matters, as imprecise access control renders restricted account functionality accessible to non-session cookies. Our cookie hijacking study reveals a number of severe flaws; attackers can obtain the user's home and work address and visited websites from Google, Bing and Baidu expose the user's complete search history, and Yahoo allows attackers to extract the contact list and send emails from the user's account. Furthermore, e-commerce vendors such as Amazon and Ebay expose the user's purchase history (partial and full respectively), and almost every website exposes the user's name and email address. Ad networks like Doubleclick can also reveal pages the user has visited. To fully evaluate the practicality and extent of cookie hijacking, we explore multiple aspects of the online ecosystem, including mobile apps, browser security mechanisms, extensions and search bars. To estimate the extent of the threat, we run IRB-approved measurements on a subset of our university's public wireless network for 30 days, and detect over 282K accounts exposing the cookies required for our hijacking attacks. We also explore how users can protect themselves and find that, while mechanisms such as the EFF's HTTPS Everywhere extension can reduce the attack surface, HTTP cookies are still regularly exposed. The privacy implications of these attacks become even more alarming when considering how they can be used to deanonymize Tor users. Our measurements suggest that a significant portion of Tor users may currently be vulnerable to cookie hijacking.
(Source: Black Hat USA 2016, Las Vegas)
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
The slides from an overview presentation of how the Web, and Web security, have changed in the last few years. This talk has been given at various public and private venues. Get in touch if you want to invite me to your company or tech group!
Let's go HTTPS-only! - More Than Buying a CertificateSteffen Gebert
1) The document discusses various ways to secure a website or client's users, including getting an SSL certificate, setting up HTTPS, ensuring strong security practices with headers and configurations.
2) It describes letting's encrypt as a free and easy way to get SSL certificates with automated renewal, and quality testing services like QUALYS to check SSL configuration.
3) Additional security best practices discussed include HTTP headers like HSTS, CSP, and PKP to prevent vulnerabilities and protect against MITM attacks. Regular testing and integrating checks into development processes are recommended.
The document provides an overview of basic web security concepts including:
1. It defines common web terms like front-end, back-end, cookies, sessions, URLs, HTTP methods, headers and status codes.
2. It discusses how cookies and sessions are used to track users and maintain state on the web.
3. It covers potential information leaks from files like robots.txt, hidden files and directories as well as techniques for searching websites like Google hacking.
4. It introduces common web vulnerabilities like XSS, CSRF and discusses how attacks are carried out and potential impacts. It also notes some PHP quirks that could be exploited if not understood.
Building a (Really) Secure Cloud ProductGuy K. Kloss
Guest lecture to Master of Information Security and Digital Forensics students at Auckland University of Technology (AUT) on the development of the MEGAchat Cloud application.
The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
This document discusses various HTTP security headers and the W3C Content Security Policy. It provides an overview of headers like X-Content-Type-Options, X-XSS-Protection, X-Frame-Options, cookies, HTTP Strict Transport Security (HSTS), and the Content Security Policy. It also demonstrates how to configure these headers and gives examples of policies for different browsers and sites.
This document discusses various HTTP security headers and the W3C Content Security Policy. It provides an overview of headers like X-Content-Type-Options, X-XSS-Protection, X-Frame-Options, cookies, HTTP Strict Transport Security (HSTS), and the Content Security Policy. It also demonstrates how to configure these headers and gives examples of policies for different browsers and sites.
Modern Web Apps should be focused, rich, and gorgeous, but they also need to be FAST. After all, being rich and beautiful isn't always enough!
With web apps, faster is always better; nobody will ever complain that your site is too fast!
Drawing the Line with Browser Compatibilityjsmith92
This document discusses browser compatibility and strategies for supporting older browsers like Internet Explorer 6. It addresses common layout issues in IE6 like the double margin bug and float containers. It also provides techniques for conditional comments, CSS hacks, frameworks and tools. The document then covers new technologies like HTML5 video, geolocation, CSS3 features and strategies for mobile browsers.
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)Guy Podjarny
When users use our sites, they put their faith in us. They trust we will keep their information from reaching others, believe we provided the information they see, and allow us to run (web) code on their devices. Using HTTPS to secure our conversations is a key part of maintaining this trust.
If that’s not motivation enough, the web’s giants are actively promoting HTTPS, requiring it for features such as HTTP2 & ServiceWorker, using it for search engine ranking and more. To make the most of the web, you need to use HTTPS.
This deck reviews what HTTPS is, discusses why you should prioritize using it, and cover some of the easiest (and most cost effective) steps to get started using HTTPS
This document provides information on secure coding practices for data protection. It discusses classifying data based on sensitivity, encrypting data at rest and in transit, implementing HTTPS securely, using certificate pinning and HTTP Strict Transport Security (HSTS). It also covers least privilege principles, avoiding data leakage, enforcing same-origin policy, and managing cross-origin access controls. The document is a training from an IT security consultant on best practices for secure coding.
1) The document discusses responsive video formats and delivery methods for different devices.
2) It covers video codecs like H.264 and VP8, as well as formats like MP4, WebM and OGG.
3) Adaptive streaming technologies like Apple's HLS and MPEG-DASH are presented as ways to deliver the most appropriate video quality based on a user's bandwidth and device capabilities.
This document summarizes a presentation on web application security and the OWASP Top 10. It discusses the motivation for securing web apps, common causes of data breaches, and an overview of the OWASP Top 10 project and the most critical web application security flaws. The presentation recommends ways to address these issues, such as keeping software updated, using automated scanning tools, and implementing input validation and authorization checks. Specific attacks covered include cross-site scripting, insecure direct object references, and broken authentication and session management.
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
The increasing capabilities and performance of the web platform allow for more feature-rich user experiences. How can JavaScript based applications utilize information security and cryptography principles? This session will explore the current state of JavaScript and Web Cryptography. We will review some basic concepts and definitions, discuss the role of TLS/SSL, show some working examples that apply cryptography to real-world use cases and take a peek at the upcoming W3C WebCryptoAPI. Code samples will use CryptoJS in the browser and the Node.js Crypto module on the server. An extended example will secure the popular TodoMVC project using PBKDF2 for key generation, HMAC for data integrity and AES for encryption.
Neil Walker from made Notable will discuss secure search, its past, impact and future. It was big news when Google first announced HTTPS as a ranking signal in August 2014, so what impact has this had for businesses, should brands and webmaster update to https and what tools and advise is needed to ensure a website meet Google’s guidelines.
This webinar will cover:
1. History of Https
2. The impact – Winners & Losers
3. Tools and advice to help you switch
4. The future of https as a ranking signal
Break data silos with real-time connectivity using Confluent Cloud Connectorsconfluent
Connectors integrate Apache Kafka® with external data systems, enabling you to move away from a brittle spaghetti architecture to one that is more streamlined, secure, and future-proof. However, if your team still spends multiple dev cycles building and managing connectors using just open source Kafka Connect, it’s time to consider a faster and cost-effective alternative.
NBFC Software: Optimize Your Non-Banking Financial CompanyNBFC Softwares
NBFC Software: Optimize Your Non-Banking Financial Company
Enhance Your Financial Services with Comprehensive NBFC Software
NBFC software provides a complete solution for non-banking financial companies, streamlining banking and accounting functions to reduce operational costs. Our software is designed to meet the diverse needs of NBFCs, including investment banks, insurance companies, and hedge funds.
Key Features of NBFC Software:
Centralized Database: Facilitates inter-branch collaboration and smooth operations with a unified platform.
Automation: Simplifies loan lifecycle management and account maintenance, ensuring efficient delivery of financial services.
Customization: Highly customizable to fit specific business needs, offering flexibility in managing various loan types such as home loans, mortgage loans, personal loans, and more.
Security: Ensures safe and secure handling of financial transactions and sensitive data.
User-Friendly Interface: Designed to be intuitive and easy to use, reducing the learning curve for employees.
Cost-Effective: Reduces the need for additional manpower by automating tasks, making it a budget-friendly solution. Benefits of NBFC Software:
Go Paperless: Transition to a fully digital operation, eliminating offline work.
Transparency: Enables managers and executives to monitor various points of the banking process easily.
Defaulter Tracking: Helps track loan defaulters, maintaining a healthy loan management system.
Increased Accessibility: Cutting-edge technology increases the accessibility and usability of NBFC operations. Request a Demo Now!
Cultural Shifts: Embracing DevOps for Organizational TransformationMindfire Solution
Mindfire Solutions specializes in DevOps services, facilitating digital transformation through streamlined software development and operational efficiency. Their expertise enhances collaboration, accelerates delivery cycles, and ensures scalability using cloud-native technologies. Mindfire Solutions empowers businesses to innovate rapidly and maintain competitive advantage in dynamic market landscapes.
In this talk, we will explore strategies to optimize the success rate of storing and retaining new information. We will discuss scientifically proven ideal learning intervals and content structures. Additionally, we will examine how to create an environment that improves our focus while you remain in the “flow”. Lastly we will also address the influence of AI on learning capabilities.
In the dynamic field of software development, this knowledge will empower you to accelerate your learning curve and support others in their learning journeys.
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdfTrackobit
What do fleet managers do? What are their duties, responsibilities, and challenges? And what makes a fleet manager effective and successful? This blog answers all these questions.
introduction of Ansys software and basic and advance knowledge of modelling s...sachin chaurasia
Ansys Mechanical enables you to solve complex structural engineering problems and make better, faster design decisions. With the finite element analysis (FEA) solvers available in the suite, you can customize and automate solutions for your structural mechanics problems and parameterize them to analyze multiple design scenarios. Ansys Mechanical is a dynamic tool that has a complete range of analysis tools.
Software development... for all? (keynote at ICSOFT'2024)miso_uam
Our world runs on software. It governs all major aspects of our life. It is an enabler for research and innovation, and is critical for business competitivity. Traditional software engineering techniques have achieved high effectiveness, but still may fall short on delivering software at the accelerated pace and with the increasing quality that future scenarios will require.
To attack this issue, some software paradigms raise the automation of software development via higher levels of abstraction through domain-specific languages (e.g., in model-driven engineering) and empowering non-professional developers with the possibility to build their own software (e.g., in low-code development approaches). In a software-demanding world, this is an attractive possibility, and perhaps -- paraphrasing Andy Warhol -- "in the future, everyone will be a developer for 15 minutes". However, to make this possible, methods are required to tweak languages to their context of use (crucial given the diversity of backgrounds and purposes), and the assistance to developers throughout the development process (especially critical for non-professionals).
In this keynote talk at ICSOFT'2024 I presented enabling techniques for this vision, supporting the creation of families of domain-specific languages, their adaptation to the usage context; and the augmentation of low-code environments with assistants and recommender systems to guide developers (professional or not) in the development process.
Explore the rapid development journey of TryBoxLang, completed in just 48 hours. This session delves into the innovative process behind creating TryBoxLang, a platform designed to showcase the capabilities of BoxLang by Ortus Solutions. Discover the challenges, strategies, and outcomes of this accelerated development effort, highlighting how TryBoxLang provides a practical introduction to BoxLang's features and benefits.
A Comparative Analysis of Functional and Non-Functional Testing.pdfkalichargn70th171
A robust software testing strategy encompassing functional and non-functional testing is fundamental for development teams. These twin pillars are essential for ensuring the success of your applications. But why are they so critical?
Functional testing rigorously examines the application's processes against predefined requirements, ensuring they align seamlessly. Conversely, non-functional testing evaluates performance and reliability under load, enhancing the end-user experience.
A captivating AI chatbot PowerPoint presentation is made with a striking backdrop in order to attract a wider audience. Select this template featuring several AI chatbot visuals to boost audience engagement and spontaneity. With the aid of this multi-colored template, you may make a compelling presentation and get extra bonuses. To easily elucidate your ideas, choose a typeface with vibrant colors. You can include your data regarding utilizing the chatbot methodology to the remaining half of the template.
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.bhatinidhi2001
CViewSurvey is a SaaS-based Web & Mobile application that provides digital transformation to traditional paper surveys and feedback for customer & employee experience, field & market research that helps you evaluate your customer's as well as employee's loyalty.
With our unique C.A.A.G. Collect, Analysis, Act & Grow approach; business & industry’s can create customized surveys on web, publish on app to collect unlimited response & review AI backed real-time data analytics on mobile & tablets anytime, anywhere. Data collected when offline is securely stored in the device, which syncs to the cloud server when connected to any network.
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
1. Creating Secure Web Apps:
What Every Developer Needs to Know
About HTTPS Today
Josh Aas, Executive Director, Internet Security Research Group
Brett Goulder, Product Manager, Heroku
Chris Castle, Developer Advocate, Heroku
Wednesday, June 14, 2017
2. Josh Aas,
Executive Director,
Internet Security
Research Group
@0xjosh
Brett Goulder,
Product Manager,
Heroku
@brettgoulder
Chris Castle,
Developer Advocate,
Heroku
@crc
3. Some Logistics…
• 20 minutes at the end for Q&A
• Submit questions throughout webinar in “Questions” box
• Audio / video problems? Click raise hand button or use “Help” menu
4. What are Let’s Encrypt and
Heroku Doing to Promote Web
Security?
23. So what does that mean in practice?
1. No one can view data in-transit
2. No one can modify data in-transit
3. Data is coming from domain in URL bar
41. Resources
• SSL Labs SSL Server Test
https://www.ssllabs.com/ssltest/
• Mozilla Observatory
https://observatory.mozilla.org/
• See What Incorrect SSL Configuration Looks Like in Browser
https://badssl.com/
• Mozilla Web Security Guidelines
https://wiki.mozilla.org/Security/Guidelines/Web_Security
• Google Web Fundamentals – Security and Identity
https://developers.google.com/web/fundamentals/security/
• High Performance Browser Networking, TLS Chapter
https://hpbn.co/transport-layer-security-tls/
• Discussion of TLS speed concerns
https://istlsfastyet.com/
44. …the Web’s trustworthiness has become critical to its success. If a
person cannot trust that they are communicating with the party
they intend, they can’t use the Web to shop safely; if they cannot
be assured that Web-delivered news isn’t modified in transit, they
won’t trust it as much. If someone cannot be assured that they’re
talking only to the intended recipients, they might avoid social
networking.
Source: https://www.w3.org/2001/tag/doc/web-https
45. This leads us to a conclusion that server authentication and
integrity are baseline requirements for the continued success of
the Web…
Source: https://www.w3.org/2001/tag/doc/web-https
48. Q&A
Josh Aas,
Executive Director,
Internet Security
Research Group
@0xjosh
Brett Goulder,
Product Manager,
Heroku
@brettgoulder
Chris Castle,
Developer Advocate,
Heroku
@crc
Editor's Notes
Hello everyone. Welcome and thanks for joining us!
We’re going to talk about Creating Secure Web Apps today.
Hope you’re excited for an educational, developer-focused talk about the importance of web security and what you can do to help advance it.
But who is “we”?
That would be Josh, Brett, and me, Chris.
Josh, can you introduce yourself?
Hi I’m Josh Aas, Executive Director of the Internet Security Research Group and Founder of Let’s Encrypt.
Great, Brett?
Hi, I’m Brett Goulder, Product Manager at Heroku.
Great, and again, I’m Chris Castle, and I’m a Developer Advocate at Heroku.
Some logistics before we start up.
Change this to be more of an intro section describing a little more about Let’s Encrypt and Heroku?
Vik had thoughts here…
[JOSH]
Let’s Encrypt was born from…
Our vision was…
[CHRIS]
For several years Heroku has provided free HTTPS for all applications with a *.herokuapp.com subdomain. This means every application deployed to Heroku automatically gets HTTPS.
But many people want to customize their domain.
In March, we released Automated Certificate Management to make it easier to use a custom domain with HTTPS. In fact, it’s not just easier, there are no extra steps. You specify your custom domain and we automatically setup your certificate.
Check this out.
SHOW VIDEO AND NARRATE WHAT’S HAPPENING https://vimeo.com/208872579
Heroku automatically acquires and manages renewal of a certificate for custom domains on paid Heroku apps.
And this wouldn’t have been possible without Let’s Encrypt.
[JOSH]
So first let’s set some context: why are we doing this webinar?
…well there are still a lot of websites not using HTTPS.
Here’s browser telemetry data from Firefox. During the 24 hours of June 7th, just one week ago, only 57% of the web pages loaded by Firefox using HTTPS.
You can see that’s the best day since November 2015. And you can also see the slope is not very steep. Over this time range, it’s going up at only 7.4 percentage points per year.
At that rate it will take over 5 years to get to 100%.
It should be 100% now.
In fact, it should have been 100% years ago.
Chrome data confirms that adoption rate and growth.
So if developers think HTTPS is simple, why aren’t more pages using it? Maybe implementing it is more complicated than we think.
Well, what can we do about that? This webinar is one thing we’re trying.
[CHRIS]
We’re doing this webinar because we want to educate developers and help them cut through the complexity.
We also want to help you educate others about web security.
We aren’t going to get to 100% with the couple hundred people on this webinar!
Answer your colleagues’ questions and encourage them to use HTTPS by default.
[JOSH]
So we’ve explained why we’re doing this webinar: we want the web to be at 100% HTTPS,
But why is that?
What are the risks with unencrypted HTTP?
Well, they can be described by 3 categories:
First: data privacy.
Privacy of sensitive data like your financial information, health information, and the passwords that protect these.
Most developers know this
Many non-developers know this (i.e. if I’m going to do something with private data on the web, I look for the padlock icon)
Many people think this is the only purpose of HTTPS.
But privacy of your other web activity is also important: news articles you read, products you buy, topics you research, videos you watch. This data aggregated provides a very detailed, personal, and accurate profile of you.
Some may be ok with that, but it should be a choice. With unencrypted HTTP, you have no choice. Nor do you know who may be creating a profile of you.
Change title to "meta data privacy"
Second is data integrity.
Did you know that on public wifi, it’s very easy for any HTTP web page to be manipulated before it gets to your browser?
How easy you might ask? On public wifi, something like what’s shown in this screenshot can be done easily with a small device like a Raspberry Pi.
And in fact, it doesn’t even matter if you’re on public wifi. Any page delivered using HTTP can be modified inconspicuously before it gets to your browser.
Third: data authenticity
Authenticity – unencrypted HTTP provides no guarantees that the page you’re viewing is in fact coming from the domain in the URL bar.
Telephone metaphor.
[CHRIS]
So how does HTTPS address these three issues?
For data privacy, the body of all requests and responses is encrypted. I think most developers know this.
But what about HTTP information – the meta data included in each HTTP request and response like the domain, path, querystring, user agent, etc.
What exactly is encrypted? Is the URL encrypted? Query string parameters? Other headers?
Here is an example HTTP request.
And here is what is hidden by HTTPS.
Data integrity is also guaranteed by HTTPS.
A ”message authentication code” is calculated and sent along with the message.
It is calculated using the message and a secret key as inputs.
Only the sender and receiver know the secret key used to calculate the code.
If the code calculated by the receiver doesn’t match the code received from the sender, an error occurs.
Finally, data authenticity is guaranteed.
If the certificate is valid and the certificate domain matches the request domain, then you can be sure the page is coming from that domain.
If you know HTTPS well, those three sentences might have made you a little uncomfortable.
Like most things related to encryption, the devil is in the details.
Unfortunately, it is not as simple as pushing a button to get those three guarantees.
If it were simple, we’d be much closer to 100% adoption by now.
[JOSH]
So we have these incentives, some “carrots”, some “sticks”, to encourage more website developers to use HTTPS.
More than 2 years ago, Mozilla stated their intent to “phase out” non-secure HTTP
Focusing new development efforts on the secure web only.
And even stating that they will remove capabilities from the non-secure web.
Chrome’s HTTP deprecation has taken the form of marking HTTP pages with password or credit card fields as not secure.
And Google has said Chrome will mark all HTTP pages as Not Secure in the future.
Google has adjusted it’s indexing system to look for more HTTPS pages and prefer them over equivalent HTTP pages.
Some sensitive browser features, such as the geolocation API now require HTTPS in Chrome and Safari.
Using the computer’s camera or microphone (getUserMedia) is another example that requires HTTPS.
[CHRIS]
So, given the importance of HTTPS and the changes browsers are making to encourage HTTPS, what can you do?
Here are some recommendations you can apply to both new sites or sites you currently work on.
First, a good resource to see what sites are doing it well is the Google Transparency report.
It lists the HTTPS status of the top 100 non-Google sites.
It qualifies secure websites with three checks:
Does the site work on HTTPS? And does it work without any browser warnings?
Does it use a modern TLS configuration. This means the site offers TLS 1.2 and a cipher suite that uses an AEAD mode of operation.
Does it default to HTTPS. Defaulting to HTTPS means redirecting all HTTP requests to HTTPS.
Design your application to use HTTPS from the start
All resources (e.g. images, JS, CSS) a page loads should use HTTPS — whether external or not
Use modern TLS (and what is the difference between SSL and TLS?)
SSL is deprecated
TLS has gone through several revisions. Currently TLS 1.2, 1.3 being drafted.
”Cipher suite” means different things in TLS 1.3 and TLS < 1.3 https://en.wikipedia.org/wiki/Cipher_suite
Redirect all HTTP requests to HTTPS
HSTS is a response header you set on the server
It instructs the browser that all future connections to this site should only be HTTPS
If the browser goes to this site in the future and it’s unencrypted HTTP, it’s likely something is trying to intercept the connection
HSTS can be implemented in report-only mode before being fully turned on
You can specify a time after which the browser will forget this instruction (think of this like a DNS record TTL)
You can also specify whether to include subdomains and whether to use a preload list maintained by the browser vendor
Content Security Policy is another response header that helps to prevent cross-site-scripting, click jacking, and other code injection attacks
It does this by allowing the website owner to specify approved origins of content to load on a page.
There are two policies that help with upgrading sites from HTTP to HTTPS
One is upgrade-insecure-requests. This tells the browser to automatically rewrite any HTTP URLs in the page to HTTPS
The other is block-all-mixed-content. This prevents any HTTP resource URLs from being loaded on a page delivered over HTTPS
Here are some great resources for you to use and share.
SSL Labs SSL Server Test and Mozilla Observatory will help you grade your website on the path to proper HTTPS configuration.
The rest are great resources to learn more… to answer a specific question or dig in deeper on a topic you want to know more about.
In early 2015, the W3C technical advisory group released a document about securing the web using cryptography.
It’s intended audience was W3C participants – the people working to define web standards.
Reading this document now, more than two years later, it’s clear that its message is important for all developers to understand.
I encourage to read it, but I wanted to highlight two paragraphs here.