2016/11/25

OWASP Benelux 2016, Conference day

slides: https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2016-2#tab=Conferenceday

Securing Android Applications

Dario Incalza
apk: http://image.slidesharecdn.com/english-final-140610053432-phpapp02/95/android-applications-in-the-cruel-world-how-to-save-them-from-threats-6-638.jpg?cb=1402390537
tools:
recommendations

The State of Security of WordPress (plugins)

Yorick Koster
wordpress: blogging software with CMS features

Securing AngularJS Applications

Sebastian Lekies
AngularJS
  • "declarative templating"
  • contextual auto escaping (html, url, resource_url)
    • managed by the $sceProvider
    • URL / output $compileProvider
    • auto-encoding
    • URL validation: $sceDelegateProvider resourceURLWhitelist / Blacklist
  • html sanitizer: removes all script
security pitfalls
  • do not generate templates based on user input
  • do not write user input befor AngularJS is loaded -- careful with mixing other libraries
  • inserting HTML in DOM
    • ngBindHtml with trustAsHtml -- security is disabled! -- use ng-bind-html
    • DIY escapeForHtml() call --managing security on your own is dangerous: AngularJS will sanitize the input for you
    • do not use jqLite
  • white/blacklisting URLs
    • wildcards in schemes:
    • wildcards in domains: replace domainname
      • toplevel domains: replace them with your own (my.evil.com
    • regexps
    • conclusion: ONLY whitelist specific URLs, do NOT use regexp / wildcards

Compression Bombs Strike Back

Giancarlo Pellegrino
Compression
  • main lossless algorithm: deflate (zlib, gzip etc)
  • protocols: IMAP, XMPP, SSH, HTTP response:
    • Accept-Encoding: deflate/gzip
    • Content-Encoding: gzip etc
issues
  • DOS "computationally intensive"
  • data amplification
  • unbalance client/server (server caches compress file, client always decompresses)
old issues
  • zip bombs: 42kb -- 4.5PB unzipped (1996)
  • xmlbombs: recursive entities (2003)
present
attention points
  • first authenticate before uncompressing
  • input validation: size (check decompression ratio, limit size of decompressed message)
  • correctly chain + interprete payload
  • logger: resource exhaustion (e.g. decompress before logging)
  • zip size header can be different than actual zipped content
https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/pellegrino

Zap it !

Zakaria Rachid
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
use cases
  • simple scanning
  • automatic security integration tests
    docker pull owasp/zap2docker-weekly
    docker run owasp/zap2docker-weekly zap-baseline.py -t http://target
    
  • security plugin
  • zap api

Stealing Secrets through Browser-based Side-channel Attacks

Tom Van Goethem
  • compression: guess char-by-char and check if this impacts response size
    • gzip + input controlled by attacker (or mitm)
  • find out response size:
    • cache api: + authenticted cross-origin responses
      • quota restrictions - can calculate response size of other site
      • getEstimate(): exact quota
      • but: after decompression
    • tcp windows: extra round trip
      • measure number of roundtrips
protection
  • no compression, but bandwidth
  • do not compress secrets
  • samesite cookies
  • no third party cookies

Handling of Security Requirements in Software Development Lifecycle

Daniel Kefer
demo

Closing Keynote: The Future of Security

Bart Preneel

trends
  • big data / analysis
    • visibility
    • mass surveillance
  • privace as security property
  • privacy by design:
    • "General Data Protection Regulation" GDPR
  • cryptowars continue
  • offense over defence (0-days)
recommendations
  • avoid single point of failure / trust
  • future
    • future of internet: simple but secure
    • small local data instead of centralised
    • distributed solutions (e.g. bitcoins)
    • big data --> encrypted data
    • open source solutions

2016/11/11

Devoxx 2016 - day 5: notes (2016/11/11)

Java Language and Platform Futures: A Sneak Peek

Brian Goetz

possible improvements
  • type inference for local variables
  • taming boilerplate
    • equals, hashCode toString...
    • IDE help for writing but not reading
    • e.g. data classes class Point(int x, int y){ } (but complex issues to solve)
  • improved switch: eg pattern matching
  • project valhalla: value types / better Data layout (complex)
  • specialized generics
  • project panama: efficient native code (better JNI)
others:

Flying services with the drone

Krzysztof Kudrynski, Blazej Kubiak


Building Chat Bots - The Next Gen UI

James Ward

  • chat channels: slack, facebook messenger
  • natural language / interactive
  • protocols: no standards
  • demo

2016/11/10

Devoxx 2016 - day 4: notes (2016/11/10)

Programming your body with chip implants

Pär Sikö

chip: 12mm / 2mm -- same as for pets
  • rfid: entrance system
  • nfc: smartcards: 1kb
issues
  • battery -- energy harvesting
  • communication technology
    • active

Optional - The Mother of All Bikesheds

Stuart Marks

Optional
  • java 8 (java.util)
  • non-null ref (present) or empty (absent)
  • primitives: OptionalInt, Long etc
  • never use "null" as ref in Optional
  • "limited mech for returntypes where null will very likely return errors" e.g. streams api: Optional prevents NPE's in chained calls
  • issue NoSuchElementException
usage of Optional
  • never call "Optional.get()" when you can prove that the Optional is present
  • prefer alternatives to Optional.isPresent() / .get()
    • use: orElse() / orElseGet() / orElseThrow()
  • Optional.filter() predicate
  • Optional.ifPresent(): (<> isPresent) executes lambda if present
  • other methods
    • empty()
    • of()
    • flatMap()
    • ...
  • stream of Optional: .filter(Optional::isPresent).map(Optional::get).collect() -- filters present Optionals & extract values
misuses:
  • simple nullchecks - avoid Optional.isNullable. chainsgh
  • too complex constucts: Optional chains should be avoided
  • Optional.get() "attractive nuisance" -- will be deprecated
  • do not use Optional for
    • fields
    • method parameters
    • collections
    • replacing every null
  • Optional adds extra objects -- check performance issues
  • no identity-sensitive operations (e.g. serialization)

A Crash Course in Modern Hardware

Cliff Click

  • classic Von Neumann Architecture
  • throughput / core +10% / year (single-threaded)
  • CISC: easier to program, but harder to optimize (pagefaults)
  • RISC: simpler, but faster execution
  • walls:
    • power wall
    • ILP wall (branch prediction, speculative execution)
      • pipelining
        • better throughput, but latency remains
      • cache misses: stall -- performance = cache misses
      • branch predictions: 95% success
      • Itanium: static ILP: not much gain for huge effort
      • x86: limited by cache misses / branch mispredicts
      • locality is critical
    • memory wall
      • memory is larger, but latency is still high (DRAM)
      • SRAM for caches
        • requires data locality
        • cache layers
      • "memory is the new disk"
      • faster memory
        • relax coherency constraints
        • better throughput
    • speed of light
  • flat clock rates (15y)
    • hyper-threading: same limits (cache misses)
    • more cores
      • challenges:
        • chips reorder
        • concurrency is hard
        • immutable data
        • missing toolsets

The ISS position in real time on my mobile in less than 15mn ? Yes, we can.

Audrey Neveu

  • api.open-notify.org
  • ionic + cordova
  • server-sent events: push technology: text-only
    • streamdata.io for streaming the server-sent-events
    • JSON-patch RFC-6902 for changes demo
  • ionic start iss.io maps (=template)
  • ionic serve --lab
  • bower.json --> bower install

graph databases and the "panama papers"

Stefan Armbruster

panama papers: 2,6 TB data
property graph model
  • nodes: entities (can have name/value properties
  • relationships: type + direction (=semantic)
neo4j usecases
  • internal
    • network / it operations
    • data management
  • customer facing
    • real-time recommendations
    • graph based search
    • identity/access management
neo4j:
  • graph database -- easy to draw structure
  • solves relational pains (logical vs table model)
  • open source
  • easy to use
  • ACID
  • scalable (3.1)
  • syntax
    • patterns: (:Person{name:"Dan"})-:KNOWS>(:Person{name:"an"})
    • clauses CREATE / MERGE / SET/DELETE..
    • MATCH > WHERE <>
      • ORDER BY <>
      • paginationSKIP / LIMIT
    • LOAD CSV
  • demo

A JVM does That?

Cliff Click

 services -- "Virtual"
  • high quality GC
  • high quality machine code gen
  • uniform threading / memory model
  • type safety
  • ...
Illusion:
  • infinite mem -- gc pauses
    • jvm optimizes
  • byte code is fast:
    • JIT brings back expected cost model (gcc -O2 level)
    • JIT requires profiling
  • virtual calls are slow: java makes them fast
    • inline caches
  • partial programs are fast: requires deoptimization, reprofile, reJIT
  • consisten memory model: every machine has different memory models -- JVM handles this
  • consistent thread model: JVM imporves locking etc
  • Locks are fast
  • quick time access: difficult on hardware / multiple threads *
    • gettimeofday in java
wishes for the future:
  • tail calls
  • Integer as cheap as int
  • BigInteger as cheap as int
  • atomic multi-address update (software transactional memory)
  • thread priorities: on linux -- only as root
  • finalizers: "eventually" runs -- might be never (no timeliness guarantees)
  • soft/phantom refs: difficult to maintain in GC 

2016/11/09

Devoxx 2016 - day 3: notes (2016/11/09)

Keynote

  • AI / machine learning
    • lots af labeled datasets
    • products
      • tensorflow
  • java 9:
    • modules
      • jlink
    • jshell (REPL interface)
  • java future
    • small improvements: property-classes
    • Panama: improve JNI
      • demo: opencv (detect image contents)
      • cleaner interaction with native code

Security and Microservices

Sam Newman

intro
transport security
  • threatmodel
  • https everywhere:
    • server guarantee / tampering prevention
    • letsencrypt.org
  • client side certs: difficult -- Lemur
  • auth
    • oauth
    • form auth
    • "confused deputy problem": multiple access paths complicate security
      • saml assertions: complex
      • oauth token validated in services
data at rest
  • encrypted datastore
  • vault for password storage
docker issue
  • scans
  • build them yourself
code
logs
  • centralize in ELK

The road to Node Package Manager Hell

Paul Watson

dependency checker:
  • owasp dependency checker
  • commercial: snyk.io / nodesecurity.io
yarn
  • alternative npm client
  • fast
  • autolock dependencies
  • deterministic installs
  • offline installs
others:
  • Nexus / Arifactory
  • gradle gulp / node plugin

Modern web development using Aurelia

Harro Lissenberg

aurelia http://aurelia.io/
  • javascript framework
  • clean & non-obstrusive
  • no dependencies -- uses its own polyfills
  • MIT license
demo
  • cli for project setup
  • yarn install
  • require.js
  • recent ecmascript --> export class {}, constructor etc.
  • au run -watch for testing
  • repeate.for attribute with list of elements

Containers, VMs, Processes… How all of these technologies work ? Deep dive and learn about your OS

Quentin ADAM

process isolation
  • chroot
    • security risks (root, escape, ...)
  • jail / containers
    • linux cgroups: (docker)
      • some security risks
      • filedescriptors shared fS or full OS
  • vm (e.g. qemu)
    • simulate cpu
    • VT-X instruction-set
    • performance?
      • cpu / memory- bound? usually not an issue
      • I/O system
        • storage
        • network
others:

100% Stateless with JWT (JSON Web Token)

Hubert Sablonnière

intro:
  • cookies
  • sessionid
    • shared / distributed cache (memcached etc)
    • or sticky session
jwt
  • comparable to sessionids
  • types
    • by reference
      • bankcard ref needed
    • by value
      • realmoney --> no extra data needed
  • initial
    • wiret +sign
    • set JWT as cookie
  • after
    • verify each request
  • parts:
    • payload: claims + extra data
      • iss issuer
      • sub subject emaetc
      • times exp / nbf /iat
      • jti id
      • claims
    • signature
      • symetric e.g. hmac256
      • asymetric signature
  • oauth2 / openid connect
    • based on jwt
  • benefits
    • no loadbalancing:
      • shared secret on all servershtt
      • or public key on all servers en secret only on logon-service
    • multilanguage
  • drawbacks
    • revocation
      • blacklist or whitelist?
    • single page applications // security?
      • xss with data in local storage
        • 3rd party scripting
        • solution: HTTPonly cookies
    • mobile apps
      • Authorization: Bearer header instead of cookie
    • csrf:
      • use local storage + add csrf token in payload
      • interceptor to send csrf token on each ajax request
  • others
    • multipart forms
    • emails: jwt for reset email
    • api gateway with sessionid, but use internally JWT: api gateway does the transformation

Testing Legacy Code

Elliotte Rusty Harold

http://www.cafeaulait.org/slides/sdbestpractices2006/legacy/
  • create broader tests first
  • prefer unit test over integration test
  • concentrate on changes
  • junit, testng etc
  • create initial setup (before / after) and add easy tests
  • trial & error to tweak a new test
  • also test obvious cases
  • remove dead code
  • code coverage: focus on missed elements:
    • Emma, Cobertura.
    • covered != tested...
  • autogenerate tests? avoids boilerplate
  • static analysis: Findbugs, PMD,...
  • refactoring: watch out for reflective access (hibernate, etc)

Wait, what!? Our microservices have actual human users?

Stefan Tilkov

  • single frontend that connects to multiple services?
  • orchestration: complex
  • functional services
    • services with DB-access -- JDBC in disguise -- too low level
    • reuse is sideeffect
  • UIs matter most (not the services)
    • can become a big monolith
    • failure in the long run
  • "virtical responsibility": http://scs-architecture.org/
    • single team responsible for full slice
    • modularize frontend
  • frontend tech is not an implementation detail!
    • impacts architecture
    • decision to be made upfront
  • frontend
    • web: server vs client rendering
      • simple links (=resources)
      • redirection
      • transclusion: embedding other apps with javascript -- Web Components?
      • argument to avoid native
    • hybrid: try to use webbased
    • native: platform specifics
      • single monolith "by definition"
      • only internal modularization
  • solution frontend
  • summary
    • UIs matter
    • use the correct architectural style
    • frontend monoliths: as good /bad as backend monoliths

2016/11/08

Devoxx 2016 - day 2: notes (2016/11/08)

Array Linked to a List, the full story!

José Paumard


https://stuartmarks.wordpress.com/2015/12/18/some-java-list-benchmarks/
basic operations
  • list.sort
  • list.removeIf()
  • forEach
  • stream()
  • ... random:
  • arraylist
    • will never shrink
    • arraycopy operations
  • http://www.hackersdelight.org/
  • linkedlist:
    • som costly operations
benchmarks: JMH
cpu architecture
Java 9
  • List.of()
  • Set.of()
demo

Exploring Java 9

Venkat Subramaniam

Modularity
  • big rt.jar split in modules ("jmods" subdir)
  • java.base: default dependencies
  • other code also in modules
  • rule: no cycles (cyclic dependencies)
module
  • collection of packages / data
  • name
  • "requires"
  • "exports": only exported stuff can be used
  • convention: put module in dedicated dir
  • module-info.java in a top-level directory
    • module { export ; }
    • "requires java.base;" automatically added
  • public is not "public" anymore -- module-bound
  • examine dependencies
    • jdeps -s (exists since java 8)
    • -Xdiag:resolver
    • java -listmods -- JRE dependencies
  • implied readability: support transitive dependencies
    • "requires public"
  • transition to java 9:
    • jdeps -genmoduleinfo outputdir *.jar
    • put old jars in module path (-mp option)
    • "automatic modules"
    • uses name of jar instead of name of module"
    • classpath: "unnamed module" -- 'quarantined' module (exports all)
  • versions: still ongoing
others
  • jlink: create platformspecific binary executable -- "java"
  • REPL "read evaluate print loop" -- jShell: snippets

The end of polling : why and how to transform a REST API into a Data Streaming API?

Audrey Neveu

"realtime user experience"
  • no refresh buttons
  • solutions
    • polling -- chatty protocol / inefficient
    • alternative
demo with http://streamdata.io and a drone

Open Sesame! Conversations With My Front Door

Maurice Naftalin

raspberry pi for controlling dooropener
  • python
  • asterisk: voip solution
    • complex setup / config
    • freepbx (commercial modules)
    • Asterisk-Java: support Fast AGI -- server on 45373
    • dialplay: voice recognition -- IBM Watson speech recognition service for converting the codes
    • DTMF is more reliable for entering a code future:
    • Natural Language Processing

Notes on Type Theory for absolute beginners

Hanneli Tavante

intro to Type theory
steps:
  • collect all keywords / analyse gramar
  • replace with mathemetics
  • remove duplicates
  • symbolic logic
  • environment (set of classes / variables)
  • predicate logic to analyse your system
  • lambda calculus
  • ...

2016/11/07

Devoxx 2016 - day 1: notes (2016/11/07)

Deep Learning: An Introduction

Breandan Considine


examples
reasons
  • big data
  • hardware (nvidia cuda)
  • algorithms
machine learning fundamentals
  • tensors: n-dimensional array
  • learning types:
    • supervised
    • unsupervised
    • reinforced
tensorflow examples
  • linear regression: single line in data
  • classification
    • "perceptron"
    • layers + weighs "gradient descent"
unsupervised learning
  • clustering, separation, association
  • clustering: random points, euclidean distance
data preprocessing
  • feature scalin,g normalization
  • decomposition & aggregation
  • dimensionality reduction
  • --> training set, validate & select best modelf
DeepLearning4J
  • builder pattern
  • components:
    • nd4j -- n-dimensional arrays reinforcement learning
  • agent has context + choices
  • rewards
  • goal: maximize cumulative reward
refs:

Make CSS Fun Again with Flexbox!

Hubert Sablonnière


refs:
flex:
  • float styles are only for text flow
  • display: flex: // flex: 1 ( for 1 row)
    • parent / flexcontainer
    • children: elements
  • flex-grow: weight
  • flex-shrink: minimum
  • flex-basis: default
others
  • justify-content: center / flex-end
  • align-items: center

Easily secure your Front and back applications with KeyCloak

Sébastien Blanc


http://www.keycloak.org/
Open Source Identity and Access Management
  • jwt (rfc 7519)
  • openid, kerberos etc
  • adapters (wildfly, spring boot, node.js ...)
  • native clients
  • login brokers
  • otp
demo
  • web.xml: roles/ security config
  • keycloak.json config
  • atom editor https://atom.io/
  • node.js: add keycloak.protect()

Sentiment analysis of social media posts using Apache Spark

Niels Dommerholt


http://spark.apache.org/ dataprocessing engine

sentiment analysis
  • positive / negative
  • java 8 / streams api
  • coursera
demo
  • JavaSparkContext: config

Apache Spark? If only it worked

Marcin Szymaniuk


origin: http://blog.explainmydata.com/2014/05/spark-should-be-better-than-mapreduce.html*

details

  • RDD: Resilient Distributed Dataset :
    • cache
    • no priority
  • sizing executors: configure memory (should autobalance in recent versions)
  • known pitfalse: 2g block limit, gc's -- check level of parallelism (groupByKey, repartition)
  • check locality: NODE_LOCAL -- increase exectors if needed
  • broadcast variable
  • avoid groupbykey -- use reducebykey
  • debugging:
    • log aggregation
    • hdfs monitoring logging
    • gclogs  

Devoxx 2016: Be Productive with JHipster (2016-11-07)

Julien Dubois & Deepu K Sasidharan

https://jhipster.github.io/
demo generated stuff:
  • database: liquibase
  • Dockerfile -- docker-compose -f src/main/docker/mysql.yml up -d
  • swagger documentation
  • mvn clean test (maven / gradle wrappers)
other options
I18n:
  • Angular Translate in client
  • java internationalization on server
Websockets
  • Spring Websockets
  • sample screen generated (track users)
demo:
integration tests
production
JDL Jhipster Domain Language
Modules
Microservices
JHipster Console
  • Monitoring app built with ELK
  • Dcoker Compose sub-generator
future:
  • yarn upgrade https://yarnpkg.com/
  • bower will be removed in jhipster 4
  • Angular JS2: 90% done
  • JHipster IDE Plugin for eclipse: design entities