The web is growing up and getting faster and more secure. Making that the default is hard to achieve when you have to be backwards compatible, and some of the stuff we built 10 years ago is now a serious security liability. The answer: headers. Lots of headers.
Webinar slides: How to Secure MongoDB with ClusterControl
Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe.
The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default.
In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more.
AGENDA
What is the MongoDB ransom hack?
What other security threats are valid for MongoDB?
How to enable authentication / authorisation
How to secure MongoDB from ransomware
How to scan your system
ClusterControl MongoDB security advisors
Live Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
HTTP Security Headers Every Java Developer Must Know
Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.
WSO2Con USA 2015: Securing your APIs: Patterns and More
Businesses today are rapidly moving from being service enabled to being API enabled. Moving into the world of APIs brings with it its own set of complexities and challenges that are tough to tackle. API security, performance, scalability, monitoring and notifications are key areas to be focusing your engineering efforts on. The WSO2 Carbon platform is a complete open source enterprise middleware platform which includes products catering to your various different enterprise needs.
This talk will focus on leveraging the extensive feature set and extensible nature of the WSO2 platform to secure, monitor and monetize your APIs. It will also touch upon some of WSO2’s experiences with customers in building API ecosystems that suit modern day enterprises.
This document discusses various tools from the OWASP project for securing modern web applications, including ESAPI and the Java Encoder for output encoding, the Secure Headers Project for response headers, and CSRFGuard for cross-site request forgery protection. It emphasizes using security features like content security policies, strict transport security, and X-frame options headers to help mitigate risks like cross-site scripting and clickjacking attacks. The document also demonstrates cross-site request forgery vulnerabilities using the OWASP 1-Liner application and how to address them with anti-CSRF tokens.
1) The document discusses malware distribution campaigns from 2012 that used dynamically generated domain names and short-lived domains to serve malicious content through advertisement networks and legitimate websites.
2) Malware was distributed by simulating advertisement networks through JavaScript and using short-term disposable domain names that pointed to the same IP addresses.
3) One campaign only rendered malicious content if mouse movement was detected on a page, requiring user interaction to trigger the exploit.
Subresource Integrity (SRI) allows websites to specify a cryptographic hash for external scripts and stylesheets to verify their integrity before loading. A study found 88% of top websites include external JavaScript libraries. SRI helps prevent attacks from compromised CDNs by only loading resources that match the expected hash value. SRI also uses the crossorigin attribute to implement Cross-Origin Resource Sharing (CORS) and prevent data leakage when checking external resources. CORS headers must be present for SRI integrity checks to prevent loading alternative scripts. SRI provides more control over included external content and is supported by libraries like Ember.js.
This document discusses advanced techniques used in modern banking trojans. It describes how trojans operate by hijacking browsers using techniques like hooking browser APIs and modifying encrypted network traffic. It also discusses how trojans evade detection from tools like BankGuard and how their command and control structures have evolved to use peer-to-peer and Tor networks.
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
This document discusses common JavaScript security vulnerabilities like cross-site scripting (XSS), cross-site request forgery (CSRF), and clickjacking. It defines these issues and provides examples of real attacks. The document also outlines solutions for developers, including sanitizing input, escaping output, minimizing the attack surface, and designing with the assumption of breaches. Overall it stresses the importance of a holistic, multi-layered approach to JavaScript security.
In this talk, we'll break down how one can exploit an ecosystem that enables management, querying, processing, and storage of, yes you guessed it, copious amounts of data. Hadoop and its many friends have been making their way into companies analyzing (sometimes, after massively collecting...) such data for years now, but they also make it easy to find organizations deploying things internally with security either off by default or otherwise exposed to various critical misconfigurations and access control issues.
If you're running engagements, this should also give you a headstart on what to look for, how to attack networks where these products are running along with a few good ways to make them more defendable. Because if you want to defend well, you need to optimize towards mitigating actual risk vs theoretical, and there's no better way to determine if attacks are real than trying them out yourself. Let's say you just want to better understand how to shell out on servers running Apache Cassandra, Drill, Mesos... well, it may add a few pages to your playbook.
(FYI this is the version of the slides without a conference template-- hopefully NoConName will share the templated version online as well)
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
- Vault configuration as code via Terraform was discussed, including deployment, authentication, secrets engines, and integration considerations
- Key topics included deploying Vault in AWS using Terraform, configuring LDAP and AWS IAM authentication backends, and using the KV secrets engine for database credentials and temporary AWS credentials
- Challenges with keeping Terraform and Vault in sync were noted, such as state issues when Vault values are added outside of Terraform
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies (CSP) are an additional layer of security that you can add to your websites to protect your users from XSS attacks, but it is only used by about 2% of the Internet. This presentation was given at WordCamp Europe 2018 and explains the threats posted to website visitors, how CSPs can help, and how they work. #wceu
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies (CSP) are an additional layer of security that you can add to your websites to protect your users from XSS attacks, but it is only used by about 2% of the Internet. This presentation was given at WordCamp Europe 2018 and explains the threats posted to website visitors, how CSPs can help, and how they work. #wceu
The document discusses techniques for optimizing website performance, including making fewer HTTP requests, leveraging browser caching with cache control headers, minimizing component sizes, optimizing asset delivery through techniques like sprites and concatenation, and following front-end performance best practices. It provides examples of how major sites implement various optimizations and shares results from experiments measuring the impact of optimizations on response times.
The document discusses techniques for improving website performance, including:
1. Focusing on front-end optimizations as they account for 80-90% of response time.
2. Following the 80/20 rule - optimizing the 20% of code that affects 80% of response time like assets on the front-end.
3. Using techniques like image sprites, combined scripts and stylesheets, CDNs, caching, gzip compression, and reducing cookie sizes and HTTP requests to improve response times.
The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
Use Monitoring, Logs, and Analytics Tools to Measure CDN and Site Performance...
In this session, use metrics and logs from Amazon CloudFront, and tools such as Amazon CloudWatch and third-party performance measurement tools, to measure and improve your web and mobile performance.
NYC WebPerf Meetup Feb 2020 - Measuring the Adoption of Web Performance Techn...
Performance optimization is a cyclical process. We are constantly learning new ways to optimize, while simultaneously adopting new technologies and techniques that negatively impact performance. The HTTP Archive provides a great historical record of the technical side of the web, with almost 10 years of history and an ever growing dataset of sites.
During this session Paul will provide a brief overview of the HTTP Archive and then dive into some insights into the adoption of common web performance techniques and some of their measurable impacts.
Let's go HTTPS-only! - More Than Buying a Certificate
1) The document discusses various ways to secure a website or client's users, including getting an SSL certificate, setting up HTTPS, ensuring strong security practices with headers and configurations.
2) It describes letting's encrypt as a free and easy way to get SSL certificates with automated renewal, and quality testing services like QUALYS to check SSL configuration.
3) Additional security best practices discussed include HTTP headers like HSTS, CSP, and PKP to prevent vulnerabilities and protect against MITM attacks. Regular testing and integrating checks into development processes are recommended.
Estes slides fazem parte da minha apresentação na conferência Confraria0day em Marçod de 2017. É uma introdução aos vários cabeçalhos de segurança HTTP. Cobre HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy e Set-Cookie options.
This document discusses HTML5 security threats and defenses. It covers the history of HTML standards, new HTML5 features, and vulnerabilities like XSS, cookie/storage stealing, SQL injection, and more. It also provides tools for analyzing HTML5 threats and examples of real attacks exploiting features like WebSQL, local storage, and cross-origin requests. Defenses include input validation, avoiding sensitive data storage, and configuring CORS headers appropriately.
The presentation is devoted to network and tips of improving Web Performance. Further presentations will dwell on more practical aspects of web applications performance improvement. All 4 presentations will help you reduce latency, enrich optimization of javascript code, discover tricky parts when working with API browser, see best practices of networking and learn lots of other important and interesting things. Enjoy! =)
This document discusses various techniques for improving web performance, including:
1. Using a CDN to reduce latency and enable caching of common assets.
2. Implementing domain sharding to allow for parallel downloading of resources from different domains.
3. Leveraging browser enhancements like prefetching, preloading, and the navigation timing API to prioritize important resources.
4. Adopting new web standards like WebRTC to enable real-time communication directly in the browser.
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
Log data contains some of the most valuable raw information you can gather and analyze about your infrastructure and applications. Amid the mess of confusing lines of seemingly random text can be hints about performance, security, flaws in code, user access patterns, and other operational data. Without the proper tools, finding insights in these logs can be like searching for a hay-colored needle in a haystack. In this session you learn what practices and patterns you can easily implement that can help you better understand your log files. You see how you can customize web logs to add more information to them, how to digest logs from around your infrastructure, and how to analyze your log files in near real time.
This document discusses benchmarking HTTP/2 using the h2load tool. It provides examples of using h2load to test various HTTP/2 configurations and protocols. The document also summarizes several experiments comparing performance of HTTP/2 with different settings, such as with or without domain sharding, combo handling, and different servers like ATS and nghttpx. It concludes that we need to consider server capacity for HTTP/2 deployments and that h2load is not perfect, providing opportunities for contribution.
The document provides 14 tips for optimizing website performance based on the 80/20 rule. The tips include minimizing HTTP requests by combining files, using a CDN, adding caching headers, gzipping files, optimizing CSS and JS placement, avoiding redirects and duplicate scripts, and making Ajax cacheable. Following these best practices can significantly improve page load times by reducing network requests and making better use of browser caching.
Defeating Cross-Site Scripting with Content Security Policy (updated)
How a new HTTP response header can help increase the depth of your web application defenses.
Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.
Yahoo has developed the de facto standard for building fast front-ends for websites. The bad news: you have to follow 34 rules to get there. The good news: I'll take a subset of those rules, explain them, and show how you can implement those rules in an automated fashion to minimize impact on developers and designers for your high-traffic website.
The document provides instructions for setting up a lab environment to practice HTML5 hacking techniques. It includes details on installing VirtualBox and shared folders, as well as IP addresses to use for the "localvictim" and "evil" servers. The remainder of the document outlines a plan to cover various HTML5-related attacks, including bypassing the same-origin policy, exploiting XSS vectors in HTML5, attacking with cross-origin resource sharing and web messaging, targeting client-side storage, and using web sockets. Disclaimers are provided about the practical nature of the workshops and limited time.
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
This is an updated version of this talk given at DrupalCamp Atlanta (DCA)
This presentation is an overview / case study of things learned by experiencing GDPR Security audits, DoS attacks, brute force login attacks, annoying robot crawlers, and hackers doing security probes.
The session will cover the following main topics with tips on how to protected against each of these.
An overview of security threats
Server Level Attacks
Code Level Attacks
User Access Attacks
Internal Attacks
Some suggestions on developing a security plan
People attending should come away with useful knowledge (modules, best practices, sites that help, front end tools and the like) that will help secure their sites.
Opening up the Social Web - Standards that are bridging the Islands
The document discusses various standards that are helping to bridge isolated social networks and enable interoperability across platforms, including OpenID, WebFinger, XRD, PubSubHubbub, Salmon, OAuth, XAuth, OEmbed, and OpenSocial. It provides examples of how these standards work to allow users to log in or comment on different sites without separate accounts, share updates across networks, and embed content like videos universally. While progress is being made, challenges remain around user identity, privacy, access control, and full adoption. The overall goal is a more open and interconnected social web.
RFC 7540 was ratified over 2 years ago and, today, all major browsers, servers, and CDNs support the next generation of HTTP. Just over a year ago, at Velocity, we discussed the protocol, looked at some real world implications of its deployment and use, and what realistic expectations we should have from its use. Now that adoption is ramped up and the protocol is being regularly used on the Internet, it's a good time to revisit the protocol and its deployment. Has it evolved? Have we learned anything? Are all the features providing the benefits we were expecting? What's next?In this session, we'll review protocol basics and try to answer some of these questions based on real-world use of it. We'll dig into the core features like interaction with TCP, server push, priorities and dependencies, and HPACK. We'll look at these features through the lens of experience and see if good practice patterns have emerged. We'll also review available tools and discuss what protocol enhancements are in the near and not-so-near horizon.
Altitude San Francisco 2018: Preparing for Video Streaming Events at Scale
CBS Interactive streams some of the largest video streaming events on the planet, including SuperBowl in 2019. This talk will focus on all the work that goes in ahead of time to prepare and plan for game day. From architecture design to capacity reservations to operational visibility and building playbooks we will explore how we build, test and prepare for these large events. We will also explore how some of Fastly's unique features such as MediaShield and VCL are becoming critical to these workflows.
Altitude San Francisco 2018: Building the Souther Hemisphere of the Internet
As a global organization, Fastly carefully selects and deploys POP locations to service the greater audience of the Internet. Fastly currently has 52 global POPs across the Internet, 13 of which are located in the Southern Hemisphere. Another 3 are outside North America, Europe, and Asia. During this talk, VP of Infrastructure Tom Daly will share our experience in building Fastly's network of POPs south of the equator, where, in some cases, the Internet we know here in San Francisco, is much different. Tom will explore the physical datacenter infrastructure, network topology, and network policy that pose of unique challenges when operating in these parts of the world.
FuboTV’s recent offering of the 2018 FIFA World Cup broke all of our previous records for viewership and put our systems to the test as we delivered all 64 matches live. Coverage for a majority of games was spread out across ~150 regional sports networks, local FOX affiliates, owned and operated regional stations and other local FOX offerings, with a few early matches broadcasted on national channels. Running a successful World Cup required us to pay close attention to our caching strategies, delivery mechanisms, content edge-case handling and more. An event at this scale, spread out over a month, also gave us an excellent test bed to run experiments. We were able to augment our last-mile delivery, test/tweak our solution for CDN decisioning/priority, and even stand up a set of UHD HDR10 feeds to give our users their first glimpse of live OTT UHD offerings. We’ll run through this whole event from a scale and technology perspective and share our takeaways as we prepare for the upcoming NFL season and beyond.
1) CNN adopted GraphQL in 2016 to improve page load speeds by allowing clients to request specific data fields rather than entire documents, reducing response sizes by over 90% in some cases.
2) CNN later developed its own Data API using GraphQL and saw request volumes increase to over 7 million per hour with an 89% cache hit rate.
3) For live storytelling, CNN chose to implement Server-Sent Events which allows for near real-time updates without polling by allowing servers to push messages to clients as new data becomes available.
Altitude San Francisco 2018: Scale and Stability at the Edge with 1.4 Billion...
Braze is a customer engagement platform that delivers more than a billion messaging experiences across push, email, apps and more each day. In this session, Jon Hyman will describe the company's challenges during an inflection point in 2015 when the company reached the limitation of their physical networking equipment, and how Braze has since grown more than 7x on Fastly. Jon will also discuss how Braze uses Fastly's Layer 7 load balancing to improve stability and uptime of its APIs.
In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up this year (e.g. Referrer Policy, Subresource Integrity). In addition to getting familiar with these, a number of recent high-profile bugs in the SSL/TLS protocol and implementations have forced developers to learn more about TLS ciphers and to start worrying about mixed content on their pages.
As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2015. This talk will give an overview of the security and privacy landscape on the web as well as pointers to what developers need to know to secure their applications.
https://2015.rmll.info/security-and-privacy-on-the-web-in-2015?lang=en
The document provides an overview of basic web security concepts including:
1. It defines common web terms like front-end, back-end, cookies, sessions, URLs, HTTP methods, headers and status codes.
2. It discusses how cookies and sessions are used to track users and maintain state on the web.
3. It covers potential information leaks from files like robots.txt, hidden files and directories as well as techniques for searching websites like Google hacking.
4. It introduces common web vulnerabilities like XSS, CSRF and discusses how attacks are carried out and potential impacts. It also notes some PHP quirks that could be exploited if not understood.
The document discusses proper password hashing methods for securely storing passwords. It begins by stating that most websites currently do not properly store passwords, either in plaintext or with a single hash without salt. This is irresponsible. The document then discusses proper hashing methods that should be used, including adding salt, using key derivation functions like PBKDF2, ARC4PBKDF2, and bcrypt. PBKDF2 works by repeatedly hashing the password with a salt, while ARC4PBKDF2 additionally encrypts the password and hashes with an evolving ARC4 stream for added complexity. Bcrypt is also an adaptive function that works similarly to PBKDF2 but in a more complicated way. The document
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe.
The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default.
In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more.
AGENDA
What is the MongoDB ransom hack?
What other security threats are valid for MongoDB?
How to enable authentication / authorisation
How to secure MongoDB from ransomware
How to scan your system
ClusterControl MongoDB security advisors
Live Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.
WSO2Con USA 2015: Securing your APIs: Patterns and MoreWSO2
Businesses today are rapidly moving from being service enabled to being API enabled. Moving into the world of APIs brings with it its own set of complexities and challenges that are tough to tackle. API security, performance, scalability, monitoring and notifications are key areas to be focusing your engineering efforts on. The WSO2 Carbon platform is a complete open source enterprise middleware platform which includes products catering to your various different enterprise needs.
This talk will focus on leveraging the extensive feature set and extensible nature of the WSO2 platform to secure, monitor and monetize your APIs. It will also touch upon some of WSO2’s experiences with customers in building API ecosystems that suit modern day enterprises.
This document discusses various tools from the OWASP project for securing modern web applications, including ESAPI and the Java Encoder for output encoding, the Secure Headers Project for response headers, and CSRFGuard for cross-site request forgery protection. It emphasizes using security features like content security policies, strict transport security, and X-frame options headers to help mitigate risks like cross-site scripting and clickjacking attacks. The document also demonstrates cross-site request forgery vulnerabilities using the OWASP 1-Liner application and how to address them with anti-CSRF tokens.
1) The document discusses malware distribution campaigns from 2012 that used dynamically generated domain names and short-lived domains to serve malicious content through advertisement networks and legitimate websites.
2) Malware was distributed by simulating advertisement networks through JavaScript and using short-term disposable domain names that pointed to the same IP addresses.
3) One campaign only rendered malicious content if mouse movement was detected on a page, requiring user interaction to trigger the exploit.
Subresource Integrity (SRI) allows websites to specify a cryptographic hash for external scripts and stylesheets to verify their integrity before loading. A study found 88% of top websites include external JavaScript libraries. SRI helps prevent attacks from compromised CDNs by only loading resources that match the expected hash value. SRI also uses the crossorigin attribute to implement Cross-Origin Resource Sharing (CORS) and prevent data leakage when checking external resources. CORS headers must be present for SRI integrity checks to prevent loading alternative scripts. SRI provides more control over included external content and is supported by libraries like Ember.js.
This document discusses advanced techniques used in modern banking trojans. It describes how trojans operate by hijacking browsers using techniques like hooking browser APIs and modifying encrypted network traffic. It also discusses how trojans evade detection from tools like BankGuard and how their command and control structures have evolved to use peer-to-peer and Tor networks.
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
This document discusses common JavaScript security vulnerabilities like cross-site scripting (XSS), cross-site request forgery (CSRF), and clickjacking. It defines these issues and provides examples of real attacks. The document also outlines solutions for developers, including sanitizing input, escaping output, minimizing the attack surface, and designing with the assumption of breaches. Overall it stresses the importance of a holistic, multi-layered approach to JavaScript security.
In this talk, we'll break down how one can exploit an ecosystem that enables management, querying, processing, and storage of, yes you guessed it, copious amounts of data. Hadoop and its many friends have been making their way into companies analyzing (sometimes, after massively collecting...) such data for years now, but they also make it easy to find organizations deploying things internally with security either off by default or otherwise exposed to various critical misconfigurations and access control issues.
If you're running engagements, this should also give you a headstart on what to look for, how to attack networks where these products are running along with a few good ways to make them more defendable. Because if you want to defend well, you need to optimize towards mitigating actual risk vs theoretical, and there's no better way to determine if attacks are real than trying them out yourself. Let's say you just want to better understand how to shell out on servers running Apache Cassandra, Drill, Mesos... well, it may add a few pages to your playbook.
(FYI this is the version of the slides without a conference template-- hopefully NoConName will share the templated version online as well)
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...Andrey Devyatkin
- Vault configuration as code via Terraform was discussed, including deployment, authentication, secrets engines, and integration considerations
- Key topics included deploying Vault in AWS using Terraform, configuring LDAP and AWS IAM authentication backends, and using the KV secrets engine for database credentials and temporary AWS credentials
- Challenges with keeping Terraform and Vault in sync were noted, such as state issues when Vault values are added outside of Terraform
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
Content Security Policies (CSP) are an additional layer of security that you can add to your websites to protect your users from XSS attacks, but it is only used by about 2% of the Internet. This presentation was given at WordCamp Europe 2018 and explains the threats posted to website visitors, how CSPs can help, and how they work. #wceu
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
Content Security Policies (CSP) are an additional layer of security that you can add to your websites to protect your users from XSS attacks, but it is only used by about 2% of the Internet. This presentation was given at WordCamp Europe 2018 and explains the threats posted to website visitors, how CSPs can help, and how they work. #wceu
The document discusses techniques for optimizing website performance, including making fewer HTTP requests, leveraging browser caching with cache control headers, minimizing component sizes, optimizing asset delivery through techniques like sprites and concatenation, and following front-end performance best practices. It provides examples of how major sites implement various optimizations and shares results from experiments measuring the impact of optimizations on response times.
The document discusses techniques for improving website performance, including:
1. Focusing on front-end optimizations as they account for 80-90% of response time.
2. Following the 80/20 rule - optimizing the 20% of code that affects 80% of response time like assets on the front-end.
3. Using techniques like image sprites, combined scripts and stylesheets, CDNs, caching, gzip compression, and reducing cookie sizes and HTTP requests to improve response times.
The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
Use Monitoring, Logs, and Analytics Tools to Measure CDN and Site Performance...Amazon Web Services
In this session, use metrics and logs from Amazon CloudFront, and tools such as Amazon CloudWatch and third-party performance measurement tools, to measure and improve your web and mobile performance.
NYC WebPerf Meetup Feb 2020 - Measuring the Adoption of Web Performance Techn...Paul Calvano
Performance optimization is a cyclical process. We are constantly learning new ways to optimize, while simultaneously adopting new technologies and techniques that negatively impact performance. The HTTP Archive provides a great historical record of the technical side of the web, with almost 10 years of history and an ever growing dataset of sites.
During this session Paul will provide a brief overview of the HTTP Archive and then dive into some insights into the adoption of common web performance techniques and some of their measurable impacts.
Let's go HTTPS-only! - More Than Buying a CertificateSteffen Gebert
1) The document discusses various ways to secure a website or client's users, including getting an SSL certificate, setting up HTTPS, ensuring strong security practices with headers and configurations.
2) It describes letting's encrypt as a free and easy way to get SSL certificates with automated renewal, and quality testing services like QUALYS to check SSL configuration.
3) Additional security best practices discussed include HTTP headers like HSTS, CSP, and PKP to prevent vulnerabilities and protect against MITM attacks. Regular testing and integrating checks into development processes are recommended.
Estes slides fazem parte da minha apresentação na conferência Confraria0day em Marçod de 2017. É uma introdução aos vários cabeçalhos de segurança HTTP. Cobre HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy e Set-Cookie options.
This document discusses HTML5 security threats and defenses. It covers the history of HTML standards, new HTML5 features, and vulnerabilities like XSS, cookie/storage stealing, SQL injection, and more. It also provides tools for analyzing HTML5 threats and examples of real attacks exploiting features like WebSQL, local storage, and cross-origin requests. Defenses include input validation, avoiding sensitive data storage, and configuring CORS headers appropriately.
The presentation is devoted to network and tips of improving Web Performance. Further presentations will dwell on more practical aspects of web applications performance improvement. All 4 presentations will help you reduce latency, enrich optimization of javascript code, discover tricky parts when working with API browser, see best practices of networking and learn lots of other important and interesting things. Enjoy! =)
This document discusses various techniques for improving web performance, including:
1. Using a CDN to reduce latency and enable caching of common assets.
2. Implementing domain sharding to allow for parallel downloading of resources from different domains.
3. Leveraging browser enhancements like prefetching, preloading, and the navigation timing API to prioritize important resources.
4. Adopting new web standards like WebRTC to enable real-time communication directly in the browser.
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
Log data contains some of the most valuable raw information you can gather and analyze about your infrastructure and applications. Amid the mess of confusing lines of seemingly random text can be hints about performance, security, flaws in code, user access patterns, and other operational data. Without the proper tools, finding insights in these logs can be like searching for a hay-colored needle in a haystack. In this session you learn what practices and patterns you can easily implement that can help you better understand your log files. You see how you can customize web logs to add more information to them, how to digest logs from around your infrastructure, and how to analyze your log files in near real time.
This document discusses benchmarking HTTP/2 using the h2load tool. It provides examples of using h2load to test various HTTP/2 configurations and protocols. The document also summarizes several experiments comparing performance of HTTP/2 with different settings, such as with or without domain sharding, combo handling, and different servers like ATS and nghttpx. It concludes that we need to consider server capacity for HTTP/2 deployments and that h2load is not perfect, providing opportunities for contribution.
The document provides 14 tips for optimizing website performance based on the 80/20 rule. The tips include minimizing HTTP requests by combining files, using a CDN, adding caching headers, gzipping files, optimizing CSS and JS placement, avoiding redirects and duplicate scripts, and making Ajax cacheable. Following these best practices can significantly improve page load times by reducing network requests and making better use of browser caching.
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
How a new HTTP response header can help increase the depth of your web application defenses.
Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.
Yahoo has developed the de facto standard for building fast front-ends for websites. The bad news: you have to follow 34 rules to get there. The good news: I'll take a subset of those rules, explain them, and show how you can implement those rules in an automated fashion to minimize impact on developers and designers for your high-traffic website.
The document provides instructions for setting up a lab environment to practice HTML5 hacking techniques. It includes details on installing VirtualBox and shared folders, as well as IP addresses to use for the "localvictim" and "evil" servers. The remainder of the document outlines a plan to cover various HTML5-related attacks, including bypassing the same-origin policy, exploiting XSS vectors in HTML5, attacking with cross-origin resource sharing and web messaging, targeting client-side storage, and using web sockets. Disclaimers are provided about the practical nature of the workshops and limited time.
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)cgmonroe
This is an updated version of this talk given at DrupalCamp Atlanta (DCA)
This presentation is an overview / case study of things learned by experiencing GDPR Security audits, DoS attacks, brute force login attacks, annoying robot crawlers, and hackers doing security probes.
The session will cover the following main topics with tips on how to protected against each of these.
An overview of security threats
Server Level Attacks
Code Level Attacks
User Access Attacks
Internal Attacks
Some suggestions on developing a security plan
People attending should come away with useful knowledge (modules, best practices, sites that help, front end tools and the like) that will help secure their sites.
Opening up the Social Web - Standards that are bridging the IslandsBastian Hofmann
The document discusses various standards that are helping to bridge isolated social networks and enable interoperability across platforms, including OpenID, WebFinger, XRD, PubSubHubbub, Salmon, OAuth, XAuth, OEmbed, and OpenSocial. It provides examples of how these standards work to allow users to log in or comment on different sites without separate accounts, share updates across networks, and embed content like videos universally. While progress is being made, challenges remain around user identity, privacy, access control, and full adoption. The overall goal is a more open and interconnected social web.
Similar to Honing headers for highly hardened highspeed hypertext (20)
RFC 7540 was ratified over 2 years ago and, today, all major browsers, servers, and CDNs support the next generation of HTTP. Just over a year ago, at Velocity, we discussed the protocol, looked at some real world implications of its deployment and use, and what realistic expectations we should have from its use. Now that adoption is ramped up and the protocol is being regularly used on the Internet, it's a good time to revisit the protocol and its deployment. Has it evolved? Have we learned anything? Are all the features providing the benefits we were expecting? What's next?In this session, we'll review protocol basics and try to answer some of these questions based on real-world use of it. We'll dig into the core features like interaction with TCP, server push, priorities and dependencies, and HPACK. We'll look at these features through the lens of experience and see if good practice patterns have emerged. We'll also review available tools and discuss what protocol enhancements are in the near and not-so-near horizon.
Altitude San Francisco 2018: Preparing for Video Streaming Events at ScaleFastly
CBS Interactive streams some of the largest video streaming events on the planet, including SuperBowl in 2019. This talk will focus on all the work that goes in ahead of time to prepare and plan for game day. From architecture design to capacity reservations to operational visibility and building playbooks we will explore how we build, test and prepare for these large events. We will also explore how some of Fastly's unique features such as MediaShield and VCL are becoming critical to these workflows.
Altitude San Francisco 2018: Building the Souther Hemisphere of the InternetFastly
As a global organization, Fastly carefully selects and deploys POP locations to service the greater audience of the Internet. Fastly currently has 52 global POPs across the Internet, 13 of which are located in the Southern Hemisphere. Another 3 are outside North America, Europe, and Asia. During this talk, VP of Infrastructure Tom Daly will share our experience in building Fastly's network of POPs south of the equator, where, in some cases, the Internet we know here in San Francisco, is much different. Tom will explore the physical datacenter infrastructure, network topology, and network policy that pose of unique challenges when operating in these parts of the world.
Altitude San Francisco 2018: The World Cup StreamFastly
FuboTV’s recent offering of the 2018 FIFA World Cup broke all of our previous records for viewership and put our systems to the test as we delivered all 64 matches live. Coverage for a majority of games was spread out across ~150 regional sports networks, local FOX affiliates, owned and operated regional stations and other local FOX offerings, with a few early matches broadcasted on national channels. Running a successful World Cup required us to pay close attention to our caching strategies, delivery mechanisms, content edge-case handling and more. An event at this scale, spread out over a month, also gave us an excellent test bed to run experiments. We were able to augment our last-mile delivery, test/tweak our solution for CDN decisioning/priority, and even stand up a set of UHD HDR10 feeds to give our users their first glimpse of live OTT UHD offerings. We’ll run through this whole event from a scale and technology perspective and share our takeaways as we prepare for the upcoming NFL season and beyond.
Altitude San Francisco 2018: We Own Our DestinyFastly
1) CNN adopted GraphQL in 2016 to improve page load speeds by allowing clients to request specific data fields rather than entire documents, reducing response sizes by over 90% in some cases.
2) CNN later developed its own Data API using GraphQL and saw request volumes increase to over 7 million per hour with an 89% cache hit rate.
3) For live storytelling, CNN chose to implement Server-Sent Events which allows for near real-time updates without polling by allowing servers to push messages to clients as new data becomes available.
Altitude San Francisco 2018: Scale and Stability at the Edge with 1.4 Billion...Fastly
Braze is a customer engagement platform that delivers more than a billion messaging experiences across push, email, apps and more each day. In this session, Jon Hyman will describe the company's challenges during an inflection point in 2015 when the company reached the limitation of their physical networking equipment, and how Braze has since grown more than 7x on Fastly. Jon will also discuss how Braze uses Fastly's Layer 7 load balancing to improve stability and uptime of its APIs.
Altitude San Francisco 2018: Moving Off the Monolith: A Seamless MigrationFastly
In this talk, Jeff Valeo from Grubhub will talk about how they leveraged Fastly to slowly migrate user traffic from a legacy monolith to a new, service-based architecture. This solution allowed Grubhub to shift millions of users as new functionality was built with zero downtime.
Altitude San Francisco 2018: Bringing TLS to GitHub PagesFastly
Sam Kottler, SRE Engineering Manager at GitHub will dig into how they rearchitected Pages, so that custom domains now support HTTPS, meaning over a million GitHub Pages sites will be served over HTTPS.
Altitude San Francisco 2018: HTTP Invalidation WorkshopFastly
One of the most powerful tools that Fastly offers is worldwide, instant purge. Come learn the ins and outs of how HTTP invalidation works in general and how purge and surrogate keys can be used to improve your site's delivery and get even more value from Fastly.
This talk will also cover the purge blast radius
Surrogate Keys are an amazing way to purge your content from cache, but they can be a bit scary when you aren't sure how many URLs this surrogate key is tied to or what kind of affect this will have on origin. Join the USA Today Network as we explain how we leverage big data tools, Go APIs, New Relic, and Sumo Logic to provide our users a suite of tools for purging content from Fastly. Developers love knowing the blast radius of their surrogate keys, while our engineers love the real-time metrics and notifications we get when developers are hard-purging content.
Altitude San Francisco 2018: HTTP/2 Tales: Discovery and WoeFastly
HTTP/2 initially seemed promising for reducing latency, but caused intermittent slowdowns for the client's critical assets. Testing revealed HTTP/2 increased median page latency by 20-30% compared to HTTP/1.1. While HTTP/2 performs well in some scenarios, it was not suitable for delivering critical assets globally due to variance issues. Over time the performance of HTTP/2 has improved, but introducing artificial latency still results in a 2.3x slowdown, so HTTP/1.1 remains a better solution for this client's critical path resources.
Altitude San Francisco 2018: How Magento moved to the cloud while maintaining...Fastly
Magento Commerce was first released by a small web development agency over ten years when they saw first-hand what a challenge it was for companies like them to build unique eCommerce sites. They created an open source platform that gives developers the flexibility to create meaningful shopping experiences while building a global community that drives down merchant costs and fosters innovation. Amid the rise of cloud-based software Magento needed to keep pace with more complex merchant needs and heightened shopper expectations. In this session learn how Magento, with the help of Partners like Fastly, evolved into a cloud-based platform without sacrificing their commitment to open software, flexibility, and the community.
Altitude San Francisco 2018: Scaling Ethereum to 10B requests per dayFastly
ConsenSys is a venture production studio building decentralized applications and developer and end-user tools for blockchains. Their Infura platform is a core infrastructure pillar of Ethereum, enabling decentralized applications of all kinds to scale to accommodate their users.
Infura went from 20 million requests a day at the beginning of 2017 to over 10 billion requests today. This staggering 500x increase naturally lead to questions of scale.
In this talk, co-founder Michael Wuehler will discuss the technical challenges encountered while building and scaling the Infura platform, and the infrastructure decisions that led to their adoption of Fastly and other pivotal technologies.
Altitude San Francisco 2018: Authentication at the EdgeFastly
Turning away unwanted traffic close to the source is a common and key use case for edge networks like Fastly, but identity, authentication, and authorization at the edge can go far beyond blocking DDoS. The unique way that you identify your site’s users can probably move to the edge too, allowing you to cut response times in your critical path, offload more origin traffic, and make smarter routing decisions at the edge.
In this talk we’ll cover a number of patterns in use by real Fastly customers. Whether you prefer token authentication, pre-shared keys, OAuth, HTTP auth, JSON web tokens, or a complex paywall, learn how you can potentially make your authentication decisions at the edge.
Altitude San Francisco 2018: WebAssembly Tools & ApplicationsFastly
This document provides a brief history of WebAssembly, including its origins in asm.js and progression through various compiler tools to the current WebAssembly standard. It discusses early implementations using asm.js for structured control flow and linear memory with isolated stacks. It also summarizes key compiler and tooling projects that have contributed to WebAssembly, such as Emscripten, Binaryen, Cranelift, Rust and WebAssembly, Pyodide, and WebAssembly Studio.
Altitude San Francisco 2018: Testing with Fastly WorkshopFastly
A crucial step for continuous integration and continuous delivery with Fastly is testing the service configuration to provide confidence in changes. This workshop will cover unit-testing VCL, component testing a service as a black box, systems testing a service end-to-end and stakeholder acceptance testing.
Altitude San Francisco 2018: Fastly Purge Control at the USA TODAY NETWORKFastly
One of the most powerful tools that Fastly offers is worldwide, instant purge. Come learn the ins and outs of how HTTP invalidation works in general and how purge and surrogate keys can be used to improve your site's delivery and get even more value from Fastly.
This talk will also cover the purge blast radius
Surrogate Keys are an amazing way to purge your content from cache, but they can be a bit scary when you aren't sure how many URLs this surrogate key is tied to or what kind of affect this will have on origin. Join the USA Today Network as we explain how we leverage big data tools, Go APIs, New Relic, and Sumo Logic to provide our users a suite of tools for purging content from Fastly. Developers love knowing the blast radius of their surrogate keys, while our engineers love the real-time metrics and notifications we get when developers are hard-purging content.
In this hands-on workshop you will attack a vulnerable web application while defending your own web service behind a Fastly WAF. Attendees will depart understanding how common web application attacks can be exploited as well defended against. They will experience WAF logging and analytics via sumologic to detect attacks realtime. For mitigation you will use a preview version of our newly built WAF rule management UI. We will close off the workshop by deep diving on how our security team analyzed and mitigated some of this summer major vulnerabilities.
Altitude San Francisco 2018: Logging at the Edge Fastly
Fastly delivers more than a million log events per second. Our Real-Time Log Streaming is easy to set up, but there are many features you might not be using to their full extent.
This workshop will cover setting up logging to various endpoints, dealing with structured data, and getting real-time insights into your customers’ behavior.
Altitude San Francisco 2018: Video Workshop DocsFastly
Fastly delivers more than a million log events per second. Our Real-Time Log Streaming is easy to set up, but there are many features you might not be using to their full extent.
This workshop will cover setting up logging to various endpoints, dealing with structured data, and getting real-time insights into your customers’ behavior.
- - - - - - - - - - -
Live streaming and on-demand video can provide a powerful way to connect with customers, but viewers expect seamless pixel-perfect streams without common video delivery inconveniences, such as downtime or lags. This workshop will demonstrate how anyone can deliver live video at scale. We’ll thoroughly explain key video delivery optimizations and more importantly, demonstrate their efficacy using the data collected from both Fastly Log Streaming/Sumo Logic and the Mux quality of experience service.
Altitude San Francisco 2018: Programming the EdgeFastly
Programming the edge
Second floor
Andrew Betts
Principal Developer Advocate, Fastly
Hide abstract
Through our support for running your own code on our edge servers, Fastly's network offers you a platform of unparalleled speed, reliability and efficiency to which you can delegate a surprising amount of logic that has traditionally been in the application layer. In this workshop, you'll implement a series of advanced edge solutions, and learn how to apply these patterns to your own applications to reduce your origin load, dramatically improve performance, and make your applications more secure.
Quality Patents: Patents That Stand the Test of TimeAurora Consulting
Is your patent a vanity piece of paper for your office wall? Or is it a reliable, defendable, assertable, property right? The difference is often quality.
Is your patent simply a transactional cost and a large pile of legal bills for your startup? Or is it a leverageable asset worthy of attracting precious investment dollars, worth its cost in multiples of valuation? The difference is often quality.
Is your patent application only good enough to get through the examination process? Or has it been crafted to stand the tests of time and varied audiences if you later need to assert that document against an infringer, find yourself litigating with it in an Article 3 Court at the hands of a judge and jury, God forbid, end up having to defend its validity at the PTAB, or even needing to use it to block pirated imports at the International Trade Commission? The difference is often quality.
Quality will be our focus for a good chunk of the remainder of this season. What goes into a quality patent, and where possible, how do you get it without breaking the bank?
** Episode Overview **
In this first episode of our quality series, Kristen Hansen and the panel discuss:
⦿ What do we mean when we say patent quality?
⦿ Why is patent quality important?
⦿ How to balance quality and budget
⦿ The importance of searching, continuations, and draftsperson domain expertise
⦿ Very practical tips, tricks, examples, and Kristen’s Musts for drafting quality applications
https://www.aurorapatents.com/patently-strategic-podcast.html
Support en anglais diffusé lors de l'événement 100% IA organisé dans les locaux parisiens d'Iguane Solutions, le mardi 2 juillet 2024 :
- Présentation de notre plateforme IA plug and play : ses fonctionnalités avancées, telles que son interface utilisateur intuitive, son copilot puissant et des outils de monitoring performants.
- REX client : Cyril Janssens, CTO d’ easybourse, partage son expérience d’utilisation de notre plateforme IA plug & play.
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfjackson110191
These fighter aircraft have uses outside of traditional combat situations. They are essential in defending India's territorial integrity, averting dangers, and delivering aid to those in need during natural calamities. Additionally, the IAF improves its interoperability and fortifies international military alliances by working together and conducting joint exercises with other air forces.
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfNeo4j
Presented at Gartner Data & Analytics, London Maty 2024. BT Group has used the Neo4j Graph Database to enable impressive digital transformation programs over the last 6 years. By re-imagining their operational support systems to adopt self-serve and data lead principles they have substantially reduced the number of applications and complexity of their operations. The result has been a substantial reduction in risk and costs while improving time to value, innovation, and process automation. Join this session to hear their story, the lessons they learned along the way and how their future innovation plans include the exploration of uses of EKG + Generative AI.
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...Toru Tamaki
Jindong Gu, Zhen Han, Shuo Chen, Ahmad Beirami, Bailan He, Gengyuan Zhang, Ruotong Liao, Yao Qin, Volker Tresp, Philip Torr "A Systematic Survey of Prompt Engineering on Vision-Language Foundation Models" arXiv2023
https://arxiv.org/abs/2307.12980
UiPath Community Day Kraków: Devs4Devs ConferenceUiPathCommunity
We are honored to launch and host this event for our UiPath Polish Community, with the help of our partners - Proservartner!
We certainly hope we have managed to spike your interest in the subjects to be presented and the incredible networking opportunities at hand, too!
Check out our proposed agenda below 👇👇
08:30 ☕ Welcome coffee (30')
09:00 Opening note/ Intro to UiPath Community (10')
Cristina Vidu, Global Manager, Marketing Community @UiPath
Dawid Kot, Digital Transformation Lead @Proservartner
09:10 Cloud migration - Proservartner & DOVISTA case study (30')
Marcin Drozdowski, Automation CoE Manager @DOVISTA
Pawel Kamiński, RPA developer @DOVISTA
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
09:40 From bottlenecks to breakthroughs: Citizen Development in action (25')
Pawel Poplawski, Director, Improvement and Automation @McCormick & Company
Michał Cieślak, Senior Manager, Automation Programs @McCormick & Company
10:05 Next-level bots: API integration in UiPath Studio (30')
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
10:35 ☕ Coffee Break (15')
10:50 Document Understanding with my RPA Companion (45')
Ewa Gruszka, Enterprise Sales Specialist, AI & ML @UiPath
11:35 Power up your Robots: GenAI and GPT in REFramework (45')
Krzysztof Karaszewski, Global RPA Product Manager
12:20 🍕 Lunch Break (1hr)
13:20 From Concept to Quality: UiPath Test Suite for AI-powered Knowledge Bots (30')
Kamil Miśko, UiPath MVP, Senior RPA Developer @Zurich Insurance
13:50 Communications Mining - focus on AI capabilities (30')
Thomasz Wierzbicki, Business Analyst @Office Samurai
14:20 Polish MVP panel: Insights on MVP award achievements and career profiling
Kief Morris rethinks the infrastructure code delivery lifecycle, advocating for a shift towards composable infrastructure systems. We should shift to designing around deployable components rather than code modules, use more useful levels of abstraction, and drive design and deployment from applications rather than bottom-up, monolithic architecture and delivery.
The DealBook is our annual overview of the Ukrainian tech investment industry. This edition comprehensively covers the full year 2023 and the first deals of 2024.
Implementations of Fused Deposition Modeling in real worldEmerging Tech
The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries:
1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes.
2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions.
3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines.
4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors.
5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering.
6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands.
7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems.
8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering.
9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively.
Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionBert Blevins
Cybersecurity is a major concern in today's connected digital world. Threats to organizations are constantly evolving and have the potential to compromise sensitive information, disrupt operations, and lead to significant financial losses. Traditional cybersecurity techniques often fall short against modern attackers. Therefore, advanced techniques for cyber security analysis and anomaly detection are essential for protecting digital assets. This blog explores these cutting-edge methods, providing a comprehensive overview of their application and importance.
How Social Media Hackers Help You to See Your Wife's Message.pdfHackersList
In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.
7. • Alexa top 1,000,000 websites
• Around 500,000 pages analysed
• Over 50 million requests per run
• Captures full request and
response data, timing metrics
etc.
• Runs using WebPageTest
• Makes raw result data available
in BigQuery
11. P3P
Machine readable privacy policy
https://www.w3.org/TR/P3P11/
Domains sending
9.8%
Commonly set to
cp="this is not a p3p policy"
Standardised in
2002
13. • Intended as a declaration of privacy policy
• Too hard for users to understand/use
• Only ever implemented by Internet Explorer, to gate access to third
party cookies in IFRAMEs.
– ... but not validated
• Commonly set to “this is not a P3P policy” which satisfies the check
Platform for Privacy Preferences Project?
https://bigquery.cloud.google.com/savedquery/598614557294:9c69db8c47f84c4d9a4b57668ac8ba58
14. Expires
Sets expiry time for local caching
https://tools.ietf.org/html/rfc7234#section-5.3
Domains sending
78%
Standardised in
1997
20. X-Cache
Records whether the page came from cache
upstream (probably)
Domains sending
13%
Standardised in
Never
Commonly set to
HIT
21. x-cache x-aspnet-version x-varnish x-request-
id x-cache-hits x-cacheable x-aspnetmvc-
version x-runtime x-generator x-drupal-cache
host referer x-served-by x-proxy-cache server
x-type x-cache-group x-cache-status x-accel-
version
Meaningless to the browser
All headers shown above are returned by at least 5,000 domains in the HTTP Archive dataset
https://bigquery.cloud.google.com/savedquery/598614557294:2463981d0f444b6ba6c1a8c376079b90
22. Outputting debug headers conditionally
if (!req.http.Reveal-Debug && !req.http.Cookie:RevealDebug) {
unset resp.http.Server;
unset resp.http.X-Powered-By;
unset resp.http.X-Cache;
// ... etc
}
Works in Fastly and Varnish cache
23. X-Frame-Options
Prohibits third party framing of your site
https://tools.ietf.org/html/rfc7034
Domains sending
22.7%
Standardised in
2013
Almost always set to
sameorigin
24. X-Frame-Options: SAMEORIGIN
Stop anyone from framing your site:
Content-Security-Policy: frame-ancestors 'self'
But... equivalent to...
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
25. Via
Lists proxies through which the request passes
https://httpwg.org/specs/rfc7230.html#header.via
Domains sending
8.7%
Standardised in
1997
32. Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src
userscripts.example.com
Simple CSP example:
By default, only allow access to the same origin as the page. But allow images to come from
anywhere. Media and scripts from a whitelist of specific origins.
37. What to send in referrals from this page
https://w3c.github.io/webappsec-referrer-policy/
Referrer-Policy
Domains sending
2.4%
Standardised in
2017
39. Link (preload)
Declare a resource that’s important early on
https://w3c.github.io/preload/#x2.link-type-preload
Domains sending
19.1%
Standardised in
2016
44. The status code problem
DNS
Lookup
TLS TTFB
Status code +
LINK headers
received
Database
Auth
Templating
API queries
45. Sends headers before status code
https://tools.ietf.org/html/draft-ietf-httpbis-early-hints-05
103 Early Hints
Domains sending
Unknown
Status
Proposed
46. HTTP/1.1 103 Early Hints
Link: <some-font-face.woff2>; rel="preload"; as="font"; crossorigin
Link: <main-styles.css>; rel="preload"; as="style"
HTTP/1.1 200 OK
Date: Fri, 26 May 2017 10:02:11 GMT
Content-Length: 1234
Content-Type: text/html; charset=utf-8
Link: <some-font-face.woff2>; rel="preload"; as="font"; crossorigin
Link: <main-styles.css>; rel="preload"; as="style"
<!doctype html>
Get your fonts and styles down even sharper:
47. Preloaded resources start preloading earlier
DNS
Lookup
TLS
Early hints +
Link headers
received
Real status
received
49. Feature-Policy: autoplay 'none'; speaker 'self'; unsized-media some3rdparty.com
Just turn off the bad stuff
No-one can
autoplay video on
this page
Only I can use the
speakers. No noisy
ads, thanks.
Images only take size
from their contents when
loaded from
some3rdparty.com
50. Feature-Policy: doc-write 'none'; sync-xhr 'none'; sync-resources 'none'
The future-future:
Bye bye
document.write.
No more
synchronous
XMLHTTPRequest
All JS and CSS is
deferrable
52. Moves origin-wide headers into a file
https://wicg.github.io/origin-policy/
Sec-Origin-
Policy
Domains sending
0
Status
Proposed
53. $ telnet bank.example.com 80
GET /statement HTTP/1.1
Host: bank.example.com
HTTP/1.1 200 OK
Date: Tue, 27 Feb 2018 13:28:47 GMT
Content-Type: text/html
Content-Length: 34882
<html>
...