Enterprise security has never been more important or complex than it is today. Mobile devices, new client technologies, and cloud-based services are just some of the recent additions. Handling JAX-RS endpoints, spotty connectivity, local storage support, constrained devices and other land mines can be more than just a challenge. These also seem to be among the first areas glossed over by most projects. Why? Because dealing with them is hard!

One of the questions we get asked the most by developers and architects is: when and why would I use OAuth2? The answer, as often with such questions, is “it depends”, but there are some features of OAuth2 that make it compelling in some situations, especially in systems composed of many lightweight web services, which becoming a very common architectural pattern.

Once the realm of shadowy government organizations, cryptography now permeates computing. Unfortunately, it is difficult to get correct and most developers know just enough to be harmful for their projects. Together, we’ll go through the basics of modern cryptography and where things can go horribly wrong.

Ruby on Rails makes it very easy to rapidly develop web applications, but doesn’t always make it so simple to deploy or secure them. This talk is going to focus on best practices to secure your rails application, learnt through multiple high profile projects and penetration tests. The talk will be practical and show that this isn’t necessarily hard if thought about from the start. We’ll also touch on getting the right balance of security without it getting in the way of the users.

In this video, Douglas Crockford outlines the basic principles of designing secure software, with a focus on web applications. He starts at the beginning with the invention of language itself and makes a strong case for designing secure software based on fundamental principles rather than specific techniques, tricks, or hacks.

Tis presentation details how to incorporate security checks into the software development process for PHP applications. It also steps through the implementation and caveats of a security audit.

SQL Injection is a vulnerability that is often missed by web application security scanners, and it’s a vulnerability that is often rated as NOT exploitable by security testers when it actually can be exploited. Advanced SQL Injection is a presentation geared toward showing security professionals advanced exploitation techniques for situations when you must prove to the customer the extent of compromise that is possible.

This tutorial explains in simple terms what the SQL Injection vulnerability is, and how real threats result from this typical exploitation. It features a sample exploitation scenario illustrating clear steps of what an attacker may do with a website which is vulnerable to error based SQL Injection.

Since 2004 Injection Flaws and Cross-Site Scripting (XSS) has topped the OWASP Top Ten of most harmful vulnerabilities. Time to do something about it. In this code kata we address both Injection Flaw as well as XSS by applying techniques from Domain Driven Design – thus Domain Driven Security. In specific we use DDD context mapping to understand what the problem really is and DDD value objects to shape up our module APIs to make these vulnerabilities go away by enforcing in-data validation and out-data encoding in a way that …

This video presents various issues encountered when implementing SOA security: heterogeneity and debugging are problematic, ESB plays an important role, and costs involved.
http://www.infoq.com/presentations/SOA-Security-in-Practice