2018 Orlando Code Camp Application Security

•Download as PPTX, PDF•

0 likes•218 views

This document describes a boy who brought his sugar glider on a plane trip and had issues with the TSA inspecting it. It then discusses common web security attacks like cross-site request forgery and cross-site scripting, and methods to prevent these attacks like input validation, sanitization, and escaping. It emphasizes applying security measures on both the client-side and server-side to protect against malicious inputs and unauthorized requests.

Technology

A Boy,
A Sugar Glider and
the TSA
Brian Clark
@_clarkio
Credit: https://www.flickr.com/photos/pitmanra/

Credit: https://www.flickr.com/photos/pitmanra/
The
Story

Credit: https://www.flickr.com/photos/diamondtdesign/

Credit: https://www.flickr.com/photos/25802865@N08/

Credit: https://www.flickr.com/photos/lostintexas/

Credit: https://www.flickr.com/photos/muar_chee/

Browser
http://insecureheroes.com
Server
http://insecureheroes.com

Browser
http://insecureheroes.comCookies
Server
http://insecureheroes.com

Browser
http://insecureheroes.comCookies
Server
http://insecureheroes.com
Hero: Luke

Browser
http://insecureheroes.comCookies
Server
http://insecureheroes.com
http://clickbaity.co

Browser
http://insecureheroes.comCookies
Server
http://insecureheroes.com
http://attacker.com
Attack
insecureheroes.com
Hero: Darth

An attack that executes a request on behalf of another
authenticated user that was not intending to perform
that action being requested
Cross-site Request Forgery

Synchronizer
Token
Pattern
Random token
Unique to user and
session
Part of the request header
Validated server-side

https://angular.io/guide/http#security-xsrf-protection

Credit: https://www.flickr.com/photos/hyku/

Credit: https://www.flickr.com/photos/hdport/

Credit: https://www.flickr.com/photos/27229185@N05/

An attack that injects malicious code into a trusted web
site such that it may be executed unintendedly by other
users
Cross-site Scripting (XSS)

Prevention
Content Security PolicyInput Handling
Control what resources
the browser is allowed to
load
Ensure data is aligned
with the expectations for
its intended use

Input Handling
EscapingSanitizationValidation

Sanitization EscapingValidation
Ensure the data is legit
Invalid Email
Result
:

Validation EscapingSanitization
Clean the bad data
BC
Result
:

SanitizationValidation Escaping
Encode the bad data
B<script>alert(1);</script>C
Result
:

Where should we apply
input handlers?
Client? Server?

Browser
http://insecureheroes.com
Server
http://insecureheroes.com
Security
Boundary

Browser
http://insecureheroes.com
Server
http://insecureheroes.com
Security
Boundary
Untrusted

Browser
http://insecureheroes.com
Server
http://insecureheroes.com
Security
Boundary
Trusted

https://www.npmjs.com/package/express-validator

https://www.npmjs.com/package/xss-filters

Summary
Access Control
Malicious Input
Sugar Gliders
Faking Requests

Reference
s
https://owasp.org
https://github.com/Azure-Samples/angular-cosmosdb
(branch: insecure-heroes)
https://angular.io/guide/security
https://www.npmjs.com/package/csurf
https://angular.io/guide/http#security-xsrf-protection
https://caniuse.com/#search=samesite

What's hot

Facebook Masters Training – Facebook Strategy w/ Justin Levy of Citrix

Social Fresh Conference

Digital IUPAC: The need for global representation of chemistry and chemical i...

Dog sledding

Practica tic, Ainara

ورشة الكامتازيا

11 Secrets of Blog Promotion - Internet Marketing Club

Erik Deckers

Laura Creekmore Y'all Connect Presented by Alabama Power June 12, 2015 Birmingham, Alabama For more: http://yallconnect.com/videos/laura-creekmore-understanding-your-audiences-content-need/ Laura Creekmore: We often say that content strategy starts with the business need, but we should say that your content strategy really starts with your audience. Without an audience, you don’t have a business goal. This workshop helps you understand your audience’s demand for content — and how to meet that need. If that’s starting to sound a little like UX (user experience), you’re not far off. Learn about the content-focused tools you can use to better understand what your audience needs from you. Takeaways: • Find your audiences; • Read the signals they’re already sending you; • Design content that meets your audience needs; • Train a team to create content according to your plan; • Sell the strategy to your C-suite.

Understanding Your Audience’s Content Need, by Laura Creekmore

Y'all Connect

Introduction to digital verification in news

Alastair Reid

Beating the hoaxers at their own game

Alastair Reid

FLICKR, miradas inusuales de desnudos

fotoclubquito

Facebook & Twitter 101

Julie Gomoll

How To Move A Closed Development Community To Open

Wohlbefinden

Rules of composition

Tips

Manager de demain

Social Media Use and Fulfilling the Need to Belong

capreeca

What's hot (19)

Facebook Masters Training – Facebook Strategy w/ Justin Levy of Citrix

Digital IUPAC: The need for global representation of chemistry and chemical i...

Dog sledding

Practica tic, Ainara

ورشة الكامتازيا

11 Secrets of Blog Promotion - Internet Marketing Club

Understanding Your Audience’s Content Need, by Laura Creekmore

Introduction to digital verification in news

Beating the hoaxers at their own game

FLICKR, miradas inusuales de desnudos

Facebook & Twitter 101

How To Move A Closed Development Community To Open

Wohlbefinden

Rules of composition

Tips

Manager de demain

Social Media Use and Fulfilling the Need to Belong

Similar to 2018 Orlando Code Camp Application Security

Title: Tots “Too Hot!” - The Cute, The Bad and The Ugly of Pediatric Fever Description: Elevated temperatures in pediatric patients are some of the most common, and often frustrating types of calls in EMS. Are the parents over-reacting? Are we under-reacting? This presentation illuminates what causes fever, how it can help or harm a child, what problems it can cause or be caused by, how to differentiate critical vs benign fever and how to prioritize care in pediatric patients with elevated temperature. Teaching Formats: -Lecture -Discussion -Question and Answer Learning Objectives: Students will learn: - Normal and abnormal thermoregulation in pediatric patients. - Obtaining accurate thermometry through a variety of methods. - Differentiation of exogenous vs endogenous pyrogens. - Differentiation of “Febrile Seizure” and “Seizure with Fever” - Special concerns for pediatric fever including patients with sickle cell disease, poor cardiac reserves, poor respiratory function and immune-compromised or immuno-suppressed patients. SEE MORE AT WWW.ROMDUCK.COM

Tots Too Hot : The Good, The Bad and the Ugly of Pediatric Fever

Rommie Duckworth

Anderson_Jamar_IgniteSlideShare

jdanderson

Digital Storytelling

RachelStaman

As social networks become an ever increasing part of our online lives what happens to all of the data that we create as we leave comments on friends profiles, upload pictures and make online purchases? It SHOULD be your data too bad that's not always the case. This presentation discusses what data privacy and identity ownership mean in a networked world. Presented to Podcamp Kilkenny September 2008.

Don't Forget to Pack Your Social Network: Data Portability Myths and Realities

Mark Congiusta

Lesson17vocab

PEDH

Internet Awareness 2011

klbeasley

Libraries and Innovation: Creating environments for encouraging and supportin...

Matthew Hamilton

Library Analytics with Char Booth and Paul Signorelli, Session 1 Part 2

ALATechSource

Lesson19vocab

PEDH

Script and supporting materials at: http://peterbromberg.com/sla Throw out those 5 year strategic plans, change ain't what it used to be. Change no longer happens in slow, predictable, macro waves that allow us the time to make and execute big plans. Change now happens in a continual series of microbursts, each one potentially changing our experiences, behaviors, perceptions, and expectations in unexpected but potentially powerful ways. A new type of leadership is called for. A leadership that not only provides a map for change, but also empowers people in your organization to throw away the map and respond to clients' needs in the moment. A leadership that questions best practices, holding only lightly to the ways of the past. A leadership that monitors societal trends and embraces small innovations and good ideas no matter where they come from.

The Value of Leadership, the Leadership of Value: Remaining Relevant in times...

Peter Bromberg

Spinal injuries cause an estimated 6,000 deaths and 5,000 new cases of quadriplegia each year. It’s no wonder that EMS providers have been taught, “Better to board them all than miss a single injury.” But universal spinal immobilization has its own costs and risks, and there are better options. Should we be “boarding” everyone, no one, or somewhere in between? What is “safe” and what are the liabilities? This program examines EMS field care of traumatic c-spine injuries evaluating different selective spinal stabilization protocols, pros and cons of common spinal stabilization tools and techniques and methods for providers of any level to help their system adopt and implement these best practices. As seen in EMS World Magazine and Fire Engineering Magazine www.RomDuck.com www.RescueDigest.com

Board to Death: Improving Prehospital Spinal Stabilization

Rommie Duckworth

Slides to support a workshop for the Brandon University VOICE Project in The Pas, Manitoba. 27 November 2013. We learn by doing; in this workshop we'll create together and then discuss effective ways to make our classrooms active learning environments. This workshop will also outfit teachers with the tools, skills, and pedagogical perspectives necessary to be successful in a 1-to-1, iPad or BYOD class. We'll share valuable educational apps for iPads across various content areas. We will design an integrated suite of tools that help students learn and show what they know to the world. Learn how to design effective learning experiences by "mashing up" different apps to create your own app-tivities. You'll walk away from this session with a strong understanding of the fundamentals of using technology in the classroom.

The iPad Learning Studio v1

Darren Kuropatwa

Branch_Derrick_4.4

Derrick Branch

Aup internet safety presentation - staff

landonscism

Suporte técnico em redes sociais

Roberto Cohen

Bridging the Gap - The Future of Learning

Clint Hamada

Abdulaziz Bandar Visual Resume

Azuz Bandar

Katie and Brooke Period 4

The Unquiet Library: Student Work

Marketing throughpublishing

Rod Paddock

Design is thinking made visual

DigiJamWeb2

Similar to 2018 Orlando Code Camp Application Security (20)

Tots Too Hot : The Good, The Bad and the Ugly of Pediatric Fever

Anderson_Jamar_IgniteSlideShare

Digital Storytelling

Don't Forget to Pack Your Social Network: Data Portability Myths and Realities

Lesson17vocab

Internet Awareness 2011

Libraries and Innovation: Creating environments for encouraging and supportin...

Library Analytics with Char Booth and Paul Signorelli, Session 1 Part 2

Lesson19vocab

The Value of Leadership, the Leadership of Value: Remaining Relevant in times...

Board to Death: Improving Prehospital Spinal Stabilization

The iPad Learning Studio v1

Branch_Derrick_4.4

Aup internet safety presentation - staff

Suporte técnico em redes sociais

Bridging the Gap - The Future of Learning

Abdulaziz Bandar Visual Resume

Katie and Brooke Period 4

Marketing throughpublishing

Design is thinking made visual

Recently uploaded

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Sara Mae O’Brien Scott and Tatiana Baquero Cakici, Senior Consultants at Enterprise Knowledge (EK), presented “AI Fast Track to Search-Focused AI Solutions” at the Information Architecture Conference (IAC24) that took place on April 11, 2024 in Seattle, WA. In their presentation, O’Brien-Scott and Cakici focused on what Enterprise AI is, why it is important, and what it takes to empower organizations to get started on a search-based AI journey and stay on track. The presentation explored the complexities of enterprise search challenges and how IA principles can be leveraged to provide AI solutions through the use of a semantic layer. O’Brien-Scott and Cakici showcased a case study where a taxonomy, an ontology, and a knowledge graph were used to structure content at a healthcare workforce solutions organization, providing personalized content recommendations and increasing content findability. In this session, participants gained insights about the following: Most common types of AI categories and use cases; Recommended steps to design and implement taxonomies and ontologies, ensuring they evolve effectively and support the organization’s search objectives; Taxonomy and ontology design considerations and best practices; Real-world AI applications that illustrated the value of taxonomies, ontologies, and knowledge graphs; and Tools, roles, and skills to design and implement AI-powered search solutions.

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Enterprise Knowledge

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

CNv6 Instructor Chapter 6 Quality of Service

giselly40

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

[2024]Digital Global Overview Report 2024 Meltwater.pdf

hans926745

Explore 'The Codex of Business: Writing Software for Real-World Solutions,' a compelling SlideShare presentation that delves into digital transformation in healthcare. Discover through a detailed case study how Agile methodologies empower healthcare providers to develop, iterate, and refine digital solutions that address real-world challenges. Learn how strategic planning, user feedback, and continuous improvement drive success in deploying technologies that enhance patient care and operational efficiency. Ideal for healthcare professionals, IT specialists, and digital transformation advocates seeking actionable insights and practical examples of technology making a real difference.

The Codex of Business Writing Software for Real-World Solutions 2.pptx

Malak Abu Hammad

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Real Time Object Detection Using Open CV

Khem

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

Scaling API-first – The story of a global engineering organization

Radu Cotescu

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “The Role of Taxonomy and Ontology in Semantic Layers” at a webinar hosted by Progress Semaphore on April 16, 2024. Taxonomies at their core enable effective tagging and retrieval of content, and combined with ontologies they extend to the management and understanding of related data. There are even greater benefits of taxonomies and ontologies to enhance your enterprise information architecture when applying them to a semantic layer. A survey by DBP-Institute found that enterprises using a semantic layer see their business outcomes improve by four times, while reducing their data and analytics costs. Extending taxonomies to a semantic layer can be a game-changing solution, allowing you to connect information silos, alleviate knowledge gaps, and derive new insights. Hedden, who specializes in taxonomy design and implementation, presented how the value of taxonomies shouldn’t reside in silos but be integrated with ontologies into a semantic layer. Learn about: - The essence and purpose of taxonomies and ontologies in information and knowledge management; - Advantages of semantic layers leveraging organizational taxonomies; and - Components and approaches to creating a semantic layer, including the integration of taxonomies and ontologies

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf