The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Seguridad en microservicios via micro profile jwtCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente se presenta el proyecto Eclipse MicroProfile JWT que provee un API Java Empresarial optimizado para arquitecturas orientadas a Microservicios. Se presentará un caso práctico en el que se desarrollará una aplicación segura con MicroProfile JWT, Apache TomEE y AngularJS. Demostrando de esta forma las capacidades de configuración, CDI, autenticación y autorización avanzadas que ofrece Eclipse MicroProfile JWT. Durante esta sesión los asistentes podrán ver los conceptos básicos de seguridad REST con Oauth 2.0, JWT y Http signatures. El caso práctico será presentado utilizando Eclipse Microprofile sobre una aplicación con un Front-End AngularJS y Java EE en Apache TomEE.
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
2018 colombia deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
The document discusses the Web Crypto API which allows cryptographic operations like hashing, signatures, and encryption/decryption to be performed in web applications. It covers the SubtleCrypto interface which provides cryptographic algorithms and methods. Some key methods include importKey, deriveKey, encrypt, and decrypt. It also discusses concepts like symmetric keys, AES-GCM encryption, PBKDF2 key derivation, and storing encrypted data with salts and initialization vectors. An example is provided of encrypting and decrypting data with a password using these Web Crypto API methods.
2018 SDJUG Deconstructing and Evolving REST SecurityDavid Blevins
The document discusses various approaches for securing REST APIs, including basic authentication and its limitations, OAuth 2.0 protocols, and using hashing and signing techniques like HMAC and RSA. It provides examples of basic authentication, OAuth 2.0 password and refresh grants, and generating and verifying hashes and signatures of data. The presentation aims to explore standards for REST security beyond basic authentication and improving statelessness.
Cryptography involves techniques for securing communications and information. The document discusses several cryptographic concepts:
1. Hashing involves running data through a function to generate a fixed-size output called a digest or hash. Common hashing algorithms are MD5, SHA-1, and SHA-256.
2. Symmetric encryption uses the same key for encryption and decryption. Algorithms like AES and DES encrypt blocks of data under a secret key.
3. Asymmetric encryption uses different public and private keys. RSA and ECC are common algorithms. Keys can be generated, and data encrypted and decrypted.
4. Digital signatures provide integrity by allowing the authenticity of data to be verified. Signatures can
This document provides an overview of Python cryptography and security topics including cryptography concepts like hashing, symmetric and asymmetric encryption, digital signatures, and Python libraries for working with cryptography like PyCrypto and Cryptography. It also discusses Django security best practices like using HTTPS, securing cookies and passwords, and access control.
2019 JJUG CCC Stateless Microservice Security with MicroProfile JWTDavid Blevins
In this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Seguridad en microservicios via micro profile jwtCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente se presenta el proyecto Eclipse MicroProfile JWT que provee un API Java Empresarial optimizado para arquitecturas orientadas a Microservicios. Se presentará un caso práctico en el que se desarrollará una aplicación segura con MicroProfile JWT, Apache TomEE y AngularJS. Demostrando de esta forma las capacidades de configuración, CDI, autenticación y autorización avanzadas que ofrece Eclipse MicroProfile JWT. Durante esta sesión los asistentes podrán ver los conceptos básicos de seguridad REST con Oauth 2.0, JWT y Http signatures. El caso práctico será presentado utilizando Eclipse Microprofile sobre una aplicación con un Front-End AngularJS y Java EE en Apache TomEE.
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
2018 colombia deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
The document discusses the Web Crypto API which allows cryptographic operations like hashing, signatures, and encryption/decryption to be performed in web applications. It covers the SubtleCrypto interface which provides cryptographic algorithms and methods. Some key methods include importKey, deriveKey, encrypt, and decrypt. It also discusses concepts like symmetric keys, AES-GCM encryption, PBKDF2 key derivation, and storing encrypted data with salts and initialization vectors. An example is provided of encrypting and decrypting data with a password using these Web Crypto API methods.
2018 SDJUG Deconstructing and Evolving REST SecurityDavid Blevins
The document discusses various approaches for securing REST APIs, including basic authentication and its limitations, OAuth 2.0 protocols, and using hashing and signing techniques like HMAC and RSA. It provides examples of basic authentication, OAuth 2.0 password and refresh grants, and generating and verifying hashes and signatures of data. The presentation aims to explore standards for REST security beyond basic authentication and improving statelessness.
Cryptography involves techniques for securing communications and information. The document discusses several cryptographic concepts:
1. Hashing involves running data through a function to generate a fixed-size output called a digest or hash. Common hashing algorithms are MD5, SHA-1, and SHA-256.
2. Symmetric encryption uses the same key for encryption and decryption. Algorithms like AES and DES encrypt blocks of data under a secret key.
3. Asymmetric encryption uses different public and private keys. RSA and ECC are common algorithms. Keys can be generated, and data encrypted and decrypted.
4. Digital signatures provide integrity by allowing the authenticity of data to be verified. Signatures can
This document provides an overview of Python cryptography and security topics including cryptography concepts like hashing, symmetric and asymmetric encryption, digital signatures, and Python libraries for working with cryptography like PyCrypto and Cryptography. It also discusses Django security best practices like using HTTPS, securing cookies and passwords, and access control.
2019 JJUG CCC Stateless Microservice Security with MicroProfile JWTDavid Blevins
In this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
The document discusses various approaches to securing REST APIs, including basic authentication and its limitations, OAuth 2.0 tokens and refresh tokens, hashing, and signing. It notes that while standards provide options, they do not ensure security and proper implementation is important. The presentation evaluates approaches based on performance and security, noting tradeoffs between the two goals.
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
This document discusses remotely using the Spanish National Electronic ID (DNIe) and potential attacks. It provides an introduction to the DNIe and describes a "Man in the Remote" (MiR) attack where an attacker is able to remotely access and use the functionalities of a DNIe card plugged into a different computer. It demonstrates how the attacker could achieve remote authentication and signing. It also discusses some potential solutions to prevent MiR attacks based on analyzing response times.
This document provides an overview of advanced encryption concepts, including research, books, news events, costs, laws, deeper Java Virtual Machine (JVM) encryption, encoding, hashing, salting, keytool, SSL/TLS, elliptic curve cryptography, and other techniques like steganography. Specific encryption algorithms, protocols, and libraries are discussed like RSA, MD5, SHA-1, HMAC, Base64, and tools in the JDK like keytool. Potential attacks on encryption systems from news stories are also summarized.
Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfileJean-Louis MONTEIRO
Microservices based architecture seems to be the common convergence point in the industry. But when it comes to security we are still struggling to evolve from monolithic systems or people oriented architecture. This presentation will be focusing on this landscape and explain how to leverage the quickly evolving MicroProfile JWT specification to secure Microservices and in a fully stateless and scalable manner. We’ll introduce the specification in a quick and no nonsense fashion and move on to several code examples that show how to setup JWT verification and obtain trusted claims via lookup or dependency injection. For our playground, we’ll be using Apache TomEE, fully open source lightweight Java EE server and MicroProfile implementation.
GnuPG, popularly knowns as gpg is an alternative to PGP module and mainly used for encryption and decryption of keys while sending mail or data.
This presentation shows various useful gpg commands that you can use in day-to-day life.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architectural impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2018 Madrid JUG Deconstructing REST SecurityBruno Baptista
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
Andy Watson, an employee of Ionic Security, gave a presentation on properly using cryptography in applications. The presentation covered topics such as random number generation, hashing, salting passwords, key derivation functions, symmetric encryption algorithms and common mistakes made with cryptography. The goal was to help people avoid vulnerabilities like unsalted hashes, hardcoded keys, weak random number generation and improper encryption modes.
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
In this presentation we explore various side-channel attacks in the Web that can be used to leak information on cross-origin responses. These so-called XS-Leaks issues may allow an adversary to extract sensitive information from an unwitting visitor, ranging from personal information this victim shared with social media networks to CSRF tokens, which may lead to full account takeover.
Finally, we discuss the various defenses that can be used to harden web applications against the different types of attacks.
2017 Devoxx MA Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
Cryptography for Java Developers
Hashes, MAC, Key Derivation, Encrypting Passwords, Symmetric Ciphers & AES, Digital Signatures & ECDSA
About the Speaker
What is Cryptography?
Cryptography in Java – APIs and Libraries
Hashes, MAC Codes and Key Derivation (KDF)
Encrypting Passwords: from Plaintext to Argon2
Symmetric Encryption: AES (KDF + Block Modes + IV + MAC)
Digital Signatures, Elliptic Curves, ECDSA, EdDSA
Live demos and code examples: https://github.com/nakov/Java-Cryptography-Examples
Video (in Bulgarian language): https://youtu.be/ZG3BLXWVwJM
Blog: https://nakov.com/blog/2019/01/26/cryptography-for-java-developers-nakov-at-jprofessionals-jan-2019/
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
Password storage is a common problem that every developer needs to solve at some point in their career. Often, we rely upon frameworks and libraries to do it for us. But do they get it right?
How should passwords be stored? How are they going to be attacked? All these questions (and more) will be answered. This session will dive head first into password storage and all aspects surrounding it. We’ll cover some common misconceptions and dangerous mistakes. We’ll also explore some of the best available tools to solve the problem, and go into why they are the best. Finally, we’ll look at some of the tools that attackers will use to attempt to extract plain text passwords.
We’ll explore each point from both angles: the pragmatic developer and the attacker. For the safety and security of your users, make sure that you know how to securely store their passwords. It’s not just the right thing to do, but it is negligent not to!
jsrsasign is a opensource free pure JavaScript cryptographic library. This slide shows its features such like RSA/ECDSA signing, PKCS#1/8 private/public key, ASN.1, certificate, JWT/JWS/JWK for introduction.
An attacker was able to gain access to an internal network by phishing a secretary's smartphone. They then used lateral movement techniques like pass-the-hash to escalate privileges and access sensitive files. This included obtaining Domain Admin credentials for the "adm.arazzi" user. The attacker was ultimately able to exfiltrate data and establish persistence on the network.
These slides are from a talk that I did at PHP Benelux 2013 ( http://conference.phpbenelux.eu/2013/ ).
In this talk, I go over the progression of password storage techniques, and weaknesses of each method. Eventually, we build up to the final secure implementations, and the current methods used to attack them.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
2018 Denver JUG Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2018 jPrime Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2018 IterateConf Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
The document discusses various approaches to securing REST APIs, including basic authentication and its limitations, OAuth 2.0 tokens and refresh tokens, hashing, and signing. It notes that while standards provide options, they do not ensure security and proper implementation is important. The presentation evaluates approaches based on performance and security, noting tradeoffs between the two goals.
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
This document discusses remotely using the Spanish National Electronic ID (DNIe) and potential attacks. It provides an introduction to the DNIe and describes a "Man in the Remote" (MiR) attack where an attacker is able to remotely access and use the functionalities of a DNIe card plugged into a different computer. It demonstrates how the attacker could achieve remote authentication and signing. It also discusses some potential solutions to prevent MiR attacks based on analyzing response times.
This document provides an overview of advanced encryption concepts, including research, books, news events, costs, laws, deeper Java Virtual Machine (JVM) encryption, encoding, hashing, salting, keytool, SSL/TLS, elliptic curve cryptography, and other techniques like steganography. Specific encryption algorithms, protocols, and libraries are discussed like RSA, MD5, SHA-1, HMAC, Base64, and tools in the JDK like keytool. Potential attacks on encryption systems from news stories are also summarized.
Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfileJean-Louis MONTEIRO
Microservices based architecture seems to be the common convergence point in the industry. But when it comes to security we are still struggling to evolve from monolithic systems or people oriented architecture. This presentation will be focusing on this landscape and explain how to leverage the quickly evolving MicroProfile JWT specification to secure Microservices and in a fully stateless and scalable manner. We’ll introduce the specification in a quick and no nonsense fashion and move on to several code examples that show how to setup JWT verification and obtain trusted claims via lookup or dependency injection. For our playground, we’ll be using Apache TomEE, fully open source lightweight Java EE server and MicroProfile implementation.
GnuPG, popularly knowns as gpg is an alternative to PGP module and mainly used for encryption and decryption of keys while sending mail or data.
This presentation shows various useful gpg commands that you can use in day-to-day life.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architectural impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2018 Madrid JUG Deconstructing REST SecurityBruno Baptista
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
Andy Watson, an employee of Ionic Security, gave a presentation on properly using cryptography in applications. The presentation covered topics such as random number generation, hashing, salting passwords, key derivation functions, symmetric encryption algorithms and common mistakes made with cryptography. The goal was to help people avoid vulnerabilities like unsalted hashes, hardcoded keys, weak random number generation and improper encryption modes.
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
In this presentation we explore various side-channel attacks in the Web that can be used to leak information on cross-origin responses. These so-called XS-Leaks issues may allow an adversary to extract sensitive information from an unwitting visitor, ranging from personal information this victim shared with social media networks to CSRF tokens, which may lead to full account takeover.
Finally, we discuss the various defenses that can be used to harden web applications against the different types of attacks.
2017 Devoxx MA Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
Cryptography for Java Developers
Hashes, MAC, Key Derivation, Encrypting Passwords, Symmetric Ciphers & AES, Digital Signatures & ECDSA
About the Speaker
What is Cryptography?
Cryptography in Java – APIs and Libraries
Hashes, MAC Codes and Key Derivation (KDF)
Encrypting Passwords: from Plaintext to Argon2
Symmetric Encryption: AES (KDF + Block Modes + IV + MAC)
Digital Signatures, Elliptic Curves, ECDSA, EdDSA
Live demos and code examples: https://github.com/nakov/Java-Cryptography-Examples
Video (in Bulgarian language): https://youtu.be/ZG3BLXWVwJM
Blog: https://nakov.com/blog/2019/01/26/cryptography-for-java-developers-nakov-at-jprofessionals-jan-2019/
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
Password storage is a common problem that every developer needs to solve at some point in their career. Often, we rely upon frameworks and libraries to do it for us. But do they get it right?
How should passwords be stored? How are they going to be attacked? All these questions (and more) will be answered. This session will dive head first into password storage and all aspects surrounding it. We’ll cover some common misconceptions and dangerous mistakes. We’ll also explore some of the best available tools to solve the problem, and go into why they are the best. Finally, we’ll look at some of the tools that attackers will use to attempt to extract plain text passwords.
We’ll explore each point from both angles: the pragmatic developer and the attacker. For the safety and security of your users, make sure that you know how to securely store their passwords. It’s not just the right thing to do, but it is negligent not to!
jsrsasign is a opensource free pure JavaScript cryptographic library. This slide shows its features such like RSA/ECDSA signing, PKCS#1/8 private/public key, ASN.1, certificate, JWT/JWS/JWK for introduction.
An attacker was able to gain access to an internal network by phishing a secretary's smartphone. They then used lateral movement techniques like pass-the-hash to escalate privileges and access sensitive files. This included obtaining Domain Admin credentials for the "adm.arazzi" user. The attacker was ultimately able to exfiltrate data and establish persistence on the network.
These slides are from a talk that I did at PHP Benelux 2013 ( http://conference.phpbenelux.eu/2013/ ).
In this talk, I go over the progression of password storage techniques, and weaknesses of each method. Eventually, we build up to the final secure implementations, and the current methods used to attack them.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
2018 Denver JUG Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2018 jPrime Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2018 IterateConf Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2017 JavaOne Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2018 Boulder JUG Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2019 ITkonekt Stateless REST Security with MicroProfile JWTJean-Louis MONTEIRO
This document discusses stateless microservice security using JSON Web Tokens (JWT) with OAuth 2.0. It begins with an introduction to microservices architecture and its new security challenges compared to traditional monolithic systems. It then covers some common security options for microservices, including basic authentication, OAuth 2.0, and JWT. The document demonstrates how OAuth 2.0 token exchanges can be used to issue JWTs that are passed in authentication headers for microservice requests instead of sending passwords over the network. This improves scalability by eliminating network hops and allowing for stateless security checks of the signed JWTs.
2017 dev nexus_deconstructing_rest_securityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
Microservice architectures bring many benefits to software applications. But at the same time, new challenges of distributed systems have also been introduced. One of these challenges is how to implement a flexible, secure and efficient authentication and authorization scheme in such architectures.
The common solution for this is to use stateless token-based authentication and authorization by adopting standard protocols like OAuth 2.0 and OpenID Connect (OIDC).
In this talk, you will get a concise introduction into OAuth 2.0 and OIDC.
We will look at OAuth 2.0 and OIDC grant flows and discuss the differences between OAuth 2.0 and OpenID Connect. Finally, you will be introduced to the current best practices currently evolved by the working group.
So If you finally want to understand the base concepts of OAuth 2.0 and OIDC in a short time then this is the talk you should go for.
The document discusses OAuth and OpenID Connect protocols. It provides diagrams illustrating the flows of OAuth authorization code grant, implicit grant and hybrid grant flows. It also compares OAuth and OpenID Connect, noting that OpenID Connect builds upon OAuth by adding an identity layer. Key aspects of OpenID Connect like ID tokens and their claims are outlined. Examples of OAuth and OpenID Connect implementations are provided at the end.
OAuth 2.0 es un protocolo abierto que nos brinda autorización y delegación para nuestras APIs HTTP. En esta sesión daremos un repaso al estado del arte de la seguridad en las APIs HTTP. A continuación pasaremos a entender que es este protocolo y como funciona. Daremos un repaso a todos sus flujos: Authorization Code, Implicit, Client Credentials, ROPC, PKCE… y veremos ejemplos en directo para acabar de tener un imagen completa de todo lo que nos ofrece y que nos servirá para cuando empecemos a trabajar con servidores de identidad OIDC.
A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.
The document discusses vulnerabilities in JSON Web Tokens (JWT). It begins by introducing JWTs and their typical uses. It then covers the JWT format and components like the header, payload, and signature. Various signing algorithms are presented. Attacks like open redirects, header injection, and algorithm downgrades are demonstrated through abusing the "jku" and "x5u" parameters. Recommendations are provided like using strong keys, reviewing libraries, enforcing algorithms, and testing for vulnerabilities. In conclusion, JWTs are complex and insecure by design, so careful implementation and testing is needed.
Sesión del Global Azure Bootcamp 2017. Azure Key Vault nos permite asegurar los servicios alojados, las claves y contraseñas en un almacenamiento especial y protegido. En esta sesión exploraremos las capacidades de Azure Key Vault y veremos como es necesario su uso en la Star Trek para garantizar la seguridad.
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...Nat Sakimura
Nat Sakimura proposes applying the Basin-Cremers-Meier (BCM) principles to strengthen the OAuth 2.0 authorization code grant protocol against network attackers. The BCM principles aim to ensure cryptographic message components uniquely identify their origin and include identities and roles of all agents. Sakimura analyzes how the original OAuth messages satisfy the BCM principles poorly by lacking unique identifiers and integrity protection. He suggests modifications like adding unique redirect URIs, signing requests and responses, and including state/transaction binding IDs to better satisfy the principles and secure OAuth against network attackers.
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)Guy Podjarny
When users use our sites, they put their faith in us. They trust we will keep their information from reaching others, believe we provided the information they see, and allow us to run (web) code on their devices. Using HTTPS to secure our conversations is a key part of maintaining this trust.
If that’s not motivation enough, the web’s giants are actively promoting HTTPS, requiring it for features such as HTTP2 & ServiceWorker, using it for search engine ranking and more. To make the most of the web, you need to use HTTPS.
This deck reviews what HTTPS is, discusses why you should prioritize using it, and cover some of the easiest (and most cost effective) steps to get started using HTTPS
Strong Authentication in Web Application #SCS IIISylvain Maret
Swiss Cyber Storm 3 Security Conference / OWASP Track
Strong Authentication: State of the Art 2011
Risk Based Authentication
Biometry - Match on Card
OTP for Smartphones
OTP SMS
PKI
SuisseID
Mobile-OTP
OATH (HOTP, TOTP, OCRA)
Open Source approach
How to integrate Strong Authentication in Web Application?
OpenID, SAML, Identity Federation for Strong Authentication
API, SDK, Agents, Web Services, Modules
PAM, Radius, JAAS
Reverse Proxy (WAF) and WebSSO
PKI / SSL client authentication
PHP example with Multi-OTP PHP class
AppSec (Threat Modeling - OWASP)
Ähnlich wie Stateless Microservice Security via JWT and MicroProfile - Guatemala (20)
Non-relational databases have come with the promise of assisting software in the Big Data age, handling the challenges of variety, velocity, and volume that come with it.
However, several points plague even the most experienced software architects: How do I migrate my data to NoSQL and which one? Where are the relationships? Should I use some ORM? The purpose of this talk is to answer all of these questions and provide some essential tips so that your NoSQL experience is not a disaster.
Modern Cloud-Native Jakarta EE Frameworks: tips, challenges, and trends.Otávio Santana
Java has a large number of tools and frameworks to facilitate integration with databases, microservices, and so on. These tools have evolved considerably. It all started with class integrated with XML files and has undergone significant evolution with reflections and annotations within the class definitions. In the cloud-native scenario, requirements have changed and this impacts applications in ways that weren't critical before. For example, cold starts and boot time wasn't critical with application servers but is crucial in serverless and microservices. The objective of this presentation is to talk about how these frameworks behave in the native cloud age and they affect Jakarta EE.
Architecting Cloud Computing Solutions with Java [1.1]Otávio Santana
This document discusses cloud-native concepts and architectures using Java. It begins with an introduction to the speaker, Otavio Santana, and his background. It then covers topics like cloud types, cloud native approaches, and how they apply concepts like microservices, containers, and orchestration. It also discusses Java optimizations for cloud environments and projects like Eclipse MicroProfile that help build cloud native Java applications. It concludes with a demonstration of Platform.sh's polyglot platform as a service that aims to simplify developing, deploying and managing cloud applications.
Arquitetando soluções de computação em nuvem com JavaOtávio Santana
O Cloud Native se tornou uma grande palavra de ordem em todo o mundo, um termo que é praticamente usado por todos em todos os momentos. Mas o que isso significa? Quais são as vantagens que ele traz ao seu aplicativo e ao seu dia como desenvolvedor ou arquiteto de software? O que há de novo no mundo Java e quais são as etapas a seguir para um aplicativo em nuvem nativo? Esta apresentação é um guia passo a passo que praticamente o guiará na implementação de serviços de computação em nuvem de maneira eficaz e eficiente.
Build, run, and scale your Java applications end to endOtávio Santana
This presentation will talk about a solution to the continuous deployment cloud hosting solution that can scale applications from the smallest projects to those handling millions of visitors. It is ideal for agile software teams because of its unique feature: it can replicate a live production cluster in seconds and create byte-level clones of throwaway dev and staging environments, which makes testing and validation 90% faster.
Jakarta NoSQL: Meet the first Jakarta EE specification in the CloudOtávio Santana
The document discusses Jakarta NoSQL, the first Jakarta EE specification for working with NoSQL databases in the cloud. It introduces different NoSQL database models, including key-value, column family, document, and graph databases. It then describes the Jakarta NoSQL APIs which provide a common way to work with different NoSQL database types through a mapping API and communication API. The specification aims to standardize how Java applications access NoSQL databases in the cloud.
ORMs: Heroes or Villains Inside the Architecture?Otávio Santana
In the information age, with new technologies, frameworks, and programming languages, there is an aspect of technology that never changes. All applications need a storage integration related to their system; either SQL or NoSQL, to point out that there is a different paradigm among the development team and the database team. To make developer life easier, new frameworks emerged that convert between the application layer and the database, which includes the famous ORM. Indeed, contemporary challenges appear such as how to handle different paradigms that are in software development and how to make a regular development without impacting on the database.
This document discusses how Jakarta EE can be used to access NoSQL databases in cloud applications. It introduces different NoSQL database types and describes issues with using JPA for NoSQL. Jakarta NoSQL provides APIs, mappings, and communication interfaces to access various NoSQL databases from Jakarta EE applications in a standardized way. It supports features like queries, repositories, and handling diversity across NoSQL databases.
Jakarta EE Meets NoSQL in the Cloud Age [DEV6109]Otávio Santana
Let’s be honest: the amount of data collected by applications nowadays is growing at a scary pace. Many of them need to handle billions of users generating and consuming data at an incredible speed. Maybe you are wondering how to create an application like this? What is needed? What benefits can you take from this reality to your project? This session shows how Jakarta EE can meet these needs when you’re working with NoSQL databases in the cloud. It's the same approach used by some of the biggest companies in the world to store, analyze, and get results from really crazy amounts of data. No matter your project size, you can take it to the next level today.
Let’s Make Graph Databases Fun Again with Java [DEV6043]Otávio Santana
It’s a fact: today NoSQL databases are very popular in several areas of the software industry. They have many different uses cases, including graphs. The graph database has a structure that’s pretty different from relational technology and has a lot of successful use cases such as recommendation systems on Facebook and LinkedIn. This session covers what a graph database is and how to use it with Java. With a useful and practical live demo of career recommendation with Neo4J, you will learn how easy it could be to build your next successful application. Today!
Eclipse JNoSQL: One API to Many NoSQL Databases - BYOL [HOL5998]Otávio Santana
This document introduces JNoSQL, an Eclipse project that provides a common API for working with various NoSQL database types. It summarizes each speaker and gives an overview of NoSQL databases and the different types. It then describes JNoSQL's goals of providing a common mapping and communication API along with examples of using its APIs for different database types. Finally, it outlines hands-on examples for using JNoSQL with Redis, MongoDB and Neo4j.
The new generation of data persistence with graphOtávio Santana
1) The document discusses the evolution of data from goods to information and machines, and the transition from SQL to NoSQL databases like key-value, column, document and graph structures.
2) It provides an example of modeling data as a graph database using TinkerPop and Gremlin, showing how to add vertices and edges to represent relationships.
3) Graph databases allow complex queries over relationships, like finding engineers who know other people or might fall in love, which would be difficult in SQL.
Eclipse JNoSQL updates from JCP September 11Otávio Santana
This document discusses NoSQL databases and the Eclipse JNoSQL project. It describes five different types of NoSQL databases - key-value, column family, document, graph, and multi-model. It then discusses issues with using JPA and JDO for NoSQL and introduces the Eclipse JNoSQL solution which provides a common API to work with different NoSQL database types. It also outlines the JNoSQL architecture, support for asynchronous operations, and engagement with JUGs and code specification processes.
Stateless Microservice Security via JWT and MicroProfile - MexicoOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Eclipse JNoSQL: The Definitive Solution for Java and NoSQL DatabaseOtávio Santana
JNoSQL is a framework and collection of tools that make integration between Java applications and NoSQL quick and easy—for developers as well as vendors. The API is easy to implement, so NoSQL vendors can quickly implement, test, and become compliant by themselves. And with its low learning curve and just a minimal set of artifacts, Java developers can start coding by worrying not about the complexity of specific NoSQL databases but only their core aspects (such as graph or document properties). Built with functional programming in mind, it leverages all the features of Java 8. This session covers how the API is structured, how it relates to the multiple NoSQL database types, and how you can get started and involved in this open source technology.
Polyglot Persistence is a fancy term to mean that when storing data, it is best to use multiple data storage technologies, chosen based upon the way data is being used by individual applications or components of a single application
The document discusses different models of management and how open source relates to management approaches. Management 1.0/2.0 refers to traditional top-down hierarchical models while Management 3.0 focuses on self-management, transparency, and product-first approaches. When using open source, companies must consider licensing, intellectual property violations, and whether projects will be considered public domain. Open source development involves community input through a workflow of project proposals, review, incubation, and releases.
Building a Recommendation Engine with Java EEOtávio Santana
Recommender systems have become increasingly popular in recent years and are utilized in a variety of areas, including movies, music, news, books, research articles, search queries, marketplaces, social tags, and products in general. A platform with a recommender system—such as NetFlix, with movies; dating systems, with relationships; and Amazon, with books—makes the user experience exceptional. This presentation covers how to create a recommendation engine with Java EE to rocket your business.
This document provides an overview of Cassandra, a NoSQL database. It discusses key features of Cassandra including its data model, consistency levels, architecture involving commit logs, memtables and SSTables. It also covers gossip protocols, partitioning, replica placement strategies, CQL and user-defined types. The document notes some issues to consider with Cassandra and mentions operations, development tools and JNoSQL, an API for Cassandra.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfflufftailshop
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
4. #RESTSecurity @otaviojava @tomitribe
ODCTour18LAD
“Lo mejor de los standares es que terminas
teniendo muchas opciones por escogerThe nice
thing about standards is
you have so many to choose from.”
- Andrew S. Tanenbaum
48. #RESTSecurity @otaviojava @tomitribe
ODCTour18LAD Nuevo Access Token
∙ header (JSON > Base64 URL Encoded)
∙ Describe como la firma (signature) del token puede ser
verificada
∙ payload (JSON > Base64 URL Encoded)
∙ Json map de información que desees incluir
∙ Campo estándar como el de Expiración
∙ signature (Binary > Base64 URL Encoded)
∙ La firma digital
∙ Hecha exclusivamente por el endpoint: /oauth2/token
∙ Si es RSA puede ser verificado por cualquier persona
76. #RESTSecurity @otaviojava @tomitribe
ODCTour18LAD
MicroProfile
∙ Comunidad Open-Source de la fundación Eclipse
∙ Enfocada en Microservicios bajo JavaEE
∙ Generadora de: Specificaciones, API y TCK.
∙ Implementado por diferentes entidades
http://microprofile.io/