SlideShare a Scribd company logo

Transformation to a scalable architecture at ING

ING-IT
ING-IT

In this presentation software engineer Youssef Oujamaa talks about the security aspect of REST API's in the context of ING's transformation to a scalable architecture. This presentation will be given on the 30th of October 2015 at the http://hackershub.co/, location: HSD campus, The Hague, The Netherlands

Software
1 of 14
Download to read offline
Transformation to a scalable architecture at ING Preparing for the tomorrow
Let me introduce myself • Youssef Oujamaa • Software Engineer • Full-Stack: Java SE/EE, JavaScript, AngularJS
What’s the goal here? • Share knowledge on the changing landscape • Involve the security community
So what’s the content? • Omni-channel • Microservices Architecture • Securing web service APIs Questions are welcome at any moment!
What is this Omni-channel thing? The purpose is a single-user experience across devices and channels.
Microservices Architecture /login/ /transfer/ /create/ Hardware X Hardware X Hardware X Hardware X Hardware X Hardware X Hardware X Hardware X Hardware X RESTful APIs on which you can perform GET / POST / PUT / DELETE Stateless nature allows scaling All Devices
Reading material • More details on • Layered Architecture • Event-Driven Architecture • Microkernel Architecture • Microservices Architecture Pattern • Space-Based Architecture • It’s free! http://goo.gl/c7RIhR
So what about security? • Cross-Site Request Forgery – Secure APIs against cross-site requests • JSON Hijacking – Browsers allow resources to be retrieved cross- domain with GET (seriously why?) • Input Validation – Never trust client supplied data
Cross-Site Request Forgery • Never allow GET to modify data • Ok, let’s only use POST? – Still exploitable, a custom form on a malicious website can be posted without user interaction. • Secure by user-secret only accessible by current domain and current page. – Example: https://www.owasp.org/index.php/Anti_CSRF_Tokens_ASP.NET
JSON Hijacking <script src="https://microsoft.com/api/user/details"> </script> • Browsers will always perform a GET on the resource. • Counter-measures • Disallow arrays • Older version of Chrome / FireFox / IE allowed you override the JavaScript Array constructor • The JavaScript interpreter in IE 7/8 would give a syntax error with details of the content • Disallow JSONP • Don’t return this a_function_name({['data', ‘can be', ‘stolen']}); • Pre-fix JSON data with broken JavaScript • Gmail uses while(1); on the first line
Input Validation • Data – Re-check everything – every call • Injection – Use secure frameworks to map JSON to objects • This basically means don’t write your own unless you have a really good reason to. – Just like SQL and XML injections take counter measures against JSON injections
Questions?
Disclaimer ING Group’s Annual Accounts are prepared in accordance with International Financial Reporting Standards as adopted by the European Union (‘IFRS-EU’). In preparing the financial information in this document, the same accounting principles are applied as in the 2014 ING Group Annual Accounts. All figures in this document are unaudited. Small differences are possible in the tables due to rounding. Certain of the statements contained herein are not historical facts, including, without limitation, certain statements made of future expectations and other forward-looking statements that are based on management’s current views and assumptions and involve known and unknown risks and uncertainties that could cause actual results, performance or events to differ materially from those expressed or implied in such statements. Actual results, performance or events may differ materially from those in such statements due to, without limitation: (1) changes in general economic conditions, in particular economic conditions in ING’s core markets, (2) changes in performance of financial markets, including developing markets, (3) consequences of a potential (partial) break-up of the euro, (4) the implementation of ING’s restructuring plan to separate banking and insurance operations, (5) changes in the availability of, and costs associated with, sources of liquidity such as interbank funding, as well as conditions in the credit markets generally, including changes in borrower and counterparty creditworthiness, (6) the frequency and severity of insured loss events, (7) changes affecting mortality and morbidity levels and trends,(8) changes affecting persistency levels, (9) changes affecting interest rate levels, (10) changes affecting currency exchange rates, (11) changes in investor, customer and policyholder behaviour, (12) changes in general competitive factors, (13) changes in laws and regulations, (14) changes in the policies of governments and/or regulatory authorities, (15) conclusions with regard to purchase accounting assumptions and methodologies, (16) changes in ownership that could affect the future availability to us of net operating loss, net capital and built-in loss carry forwards, (17) changes in credit ratings, (18) ING’s ability to achieve projected operational synergies and (19) the other risks and uncertainties detailed in the Risk Factors section contained in the most recent annual report of ING Groep N.V. Any forward-looking statements made by or on behalf of ING speak only as of the date they are made, and, ING assumes no obligation to publicly update or revise any forward-looking statements, whether as a result of new information or for any other reason. This document does not constitute an offer to sell, or a solicitation of an offer to purchase, any securities in the United States or any other jurisdiction. The securities of NN Group have not been and will not be registered under the U.S. Securities Act of 1933, as amended (the “Securities Act”), and may not be offered or sold within the United States absent registration or an applicable exemption from the registration requirements of the Securities Act. www.ing.com

Recommended

Cassandra at ING - There and back again
Cassandra at ING - There and back againCassandra at ING - There and back again
Cassandra at ING - There and back againING-IT
 
Chronicles of the lion
Chronicles of the lionChronicles of the lion
Chronicles of the lionING-IT
 
Digital transformation in the financial industry: what’s good for the society?
Digital transformation in the financial industry: what’s good for the society?Digital transformation in the financial industry: what’s good for the society?
Digital transformation in the financial industry: what’s good for the society?Finanssivalvonta
 
CELENT - ISO20022 — THE PAYMENTS REVOLUTION
CELENT - ISO20022 — THE PAYMENTS REVOLUTIONCELENT - ISO20022 — THE PAYMENTS REVOLUTION
CELENT - ISO20022 — THE PAYMENTS REVOLUTIONEBA-Day-IBM
 
HSBC media release front page Interim Management Statement November 2008
HSBC media release front page Interim Management Statement November 2008HSBC media release front page Interim Management Statement November 2008
HSBC media release front page Interim Management Statement November 2008QuarterlyEarningsReports2
 
Credit Risk Losses | Real Losses Are they inconsistent?
Credit Risk Losses | Real Losses Are they inconsistent?Credit Risk Losses | Real Losses Are they inconsistent?
Credit Risk Losses | Real Losses Are they inconsistent?László Árvai
 
The end of traditional enterprise IT - ING's journey to the next generation I...
The end of traditional enterprise IT - ING's journey to the next generation I...The end of traditional enterprise IT - ING's journey to the next generation I...
The end of traditional enterprise IT - ING's journey to the next generation I...NLJUG
 
Revamping Development and Testing Using Docker – Transforming Enterprise IT b...
Revamping Development and Testing Using Docker – Transforming Enterprise IT b...Revamping Development and Testing Using Docker – Transforming Enterprise IT b...
Revamping Development and Testing Using Docker – Transforming Enterprise IT b...Docker, Inc.
 

Recommended

Cassandra at ING - There and back again
Cassandra at ING - There and back againCassandra at ING - There and back again
Cassandra at ING - There and back againING-IT
 
Chronicles of the lion
Chronicles of the lionChronicles of the lion
Chronicles of the lionING-IT
 
Digital transformation in the financial industry: what’s good for the society?
Digital transformation in the financial industry: what’s good for the society?Digital transformation in the financial industry: what’s good for the society?
Digital transformation in the financial industry: what’s good for the society?Finanssivalvonta
 
CELENT - ISO20022 — THE PAYMENTS REVOLUTION
CELENT - ISO20022 — THE PAYMENTS REVOLUTIONCELENT - ISO20022 — THE PAYMENTS REVOLUTION
CELENT - ISO20022 — THE PAYMENTS REVOLUTIONEBA-Day-IBM
 
HSBC media release front page Interim Management Statement November 2008
HSBC media release front page Interim Management Statement November 2008HSBC media release front page Interim Management Statement November 2008
HSBC media release front page Interim Management Statement November 2008QuarterlyEarningsReports2
 
Credit Risk Losses | Real Losses Are they inconsistent?
Credit Risk Losses | Real Losses Are they inconsistent?Credit Risk Losses | Real Losses Are they inconsistent?
Credit Risk Losses | Real Losses Are they inconsistent?László Árvai
 
The end of traditional enterprise IT - ING's journey to the next generation I...
The end of traditional enterprise IT - ING's journey to the next generation I...The end of traditional enterprise IT - ING's journey to the next generation I...
The end of traditional enterprise IT - ING's journey to the next generation I...NLJUG
 
Revamping Development and Testing Using Docker – Transforming Enterprise IT b...
Revamping Development and Testing Using Docker – Transforming Enterprise IT b...Revamping Development and Testing Using Docker – Transforming Enterprise IT b...
Revamping Development and Testing Using Docker – Transforming Enterprise IT b...Docker, Inc.
 
Knowledge share about scalable application architecture
Knowledge share about scalable application architectureKnowledge share about scalable application architecture
Knowledge share about scalable application architectureAHM Pervej Kabir
 
Introducing Scala in your existing Java project
Introducing Scala in your existing Java projectIntroducing Scala in your existing Java project
Introducing Scala in your existing Java projectING-IT
 
Exploiting hotel Cassandra
Exploiting hotel CassandraExploiting hotel Cassandra
Exploiting hotel CassandraING-IT
 
Scalable Angular 2 Application Architecture
Scalable Angular 2 Application ArchitectureScalable Angular 2 Application Architecture
Scalable Angular 2 Application ArchitectureFDConf
 
Scalable Web Architecture
Scalable Web ArchitectureScalable Web Architecture
Scalable Web ArchitectureAleksandr Tsertkov
 
Elastic{on} - Tracking of events within ING
Elastic{on} - Tracking of events within INGElastic{on} - Tracking of events within ING
Elastic{on} - Tracking of events within INGING-IT
 
DOES16 London - Ron van Kemenade - Nothing Beats Engineering Talent…The Agile...
DOES16 London - Ron van Kemenade - Nothing Beats Engineering Talent…The Agile...DOES16 London - Ron van Kemenade - Nothing Beats Engineering Talent…The Agile...
DOES16 London - Ron van Kemenade - Nothing Beats Engineering Talent…The Agile...Gene Kim
 
ITIL and DEVOPS can be friends
ITIL and DEVOPS can be friendsITIL and DEVOPS can be friends
ITIL and DEVOPS can be friendsING-IT
 
Scalable Web Architecture and Distributed Systems
Scalable Web Architecture and Distributed SystemsScalable Web Architecture and Distributed Systems
Scalable Web Architecture and Distributed Systemshyun soomyung
 
Continuous Delivery - The ING Story: Improving time to market with DevOps and...
Continuous Delivery - The ING Story: Improving time to market with DevOps and...Continuous Delivery - The ING Story: Improving time to market with DevOps and...
Continuous Delivery - The ING Story: Improving time to market with DevOps and...CA Technologies
 
Datastax ING Big Data Expo
Datastax ING Big Data ExpoDatastax ING Big Data Expo
Datastax ING Big Data ExpoBigDataExpo
 
Autoscaling: From zero to production seamlessly
Autoscaling: From zero to production seamlesslyAutoscaling: From zero to production seamlessly
Autoscaling: From zero to production seamlesslyElasticsearch
 
Elastic Observability keynote
Elastic Observability keynoteElastic Observability keynote
Elastic Observability keynoteElasticsearch
 
Why you should use Elastic for infrastructure metrics
Why you should use Elastic for infrastructure metricsWhy you should use Elastic for infrastructure metrics
Why you should use Elastic for infrastructure metricsElasticsearch
 
intel Presentation 2008
intel Presentation 2008intel Presentation 2008
intel Presentation 2008finance6
 
Realizing your AIOps goals with machine learning in Elastic
Realizing your AIOps goals with machine learning in ElasticRealizing your AIOps goals with machine learning in Elastic
Realizing your AIOps goals with machine learning in ElasticElasticsearch
 
Mappy hour: Uncovering insights with Elastic Maps and location data
Mappy hour: Uncovering insights with Elastic Maps and location dataMappy hour: Uncovering insights with Elastic Maps and location data
Mappy hour: Uncovering insights with Elastic Maps and location dataElasticsearch
 
Security analytics with Elastic at Square Enix
Security analytics with Elastic at Square EnixSecurity analytics with Elastic at Square Enix
Security analytics with Elastic at Square EnixElasticsearch
 
Ceph Day Shanghai - VSM (Virtual Storage Manager) - Simplify Ceph Management ...
Ceph Day Shanghai - VSM (Virtual Storage Manager) - Simplify Ceph Management ...Ceph Day Shanghai - VSM (Virtual Storage Manager) - Simplify Ceph Management ...
Ceph Day Shanghai - VSM (Virtual Storage Manager) - Simplify Ceph Management ...Ceph Community
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile appsMartin Vigo
 
There and Back again, ING's Cassandra Tale (Christopher Reedijk, Gary Stewart...
There and Back again, ING's Cassandra Tale (Christopher Reedijk, Gary Stewart...There and Back again, ING's Cassandra Tale (Christopher Reedijk, Gary Stewart...
There and Back again, ING's Cassandra Tale (Christopher Reedijk, Gary Stewart...DataStax
 
Centralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLACentralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLAElasticsearch
 

More Related Content

Viewers also liked

Knowledge share about scalable application architecture
Knowledge share about scalable application architectureKnowledge share about scalable application architecture
Knowledge share about scalable application architectureAHM Pervej Kabir
 
Introducing Scala in your existing Java project
Introducing Scala in your existing Java projectIntroducing Scala in your existing Java project
Introducing Scala in your existing Java projectING-IT
 
Exploiting hotel Cassandra
Exploiting hotel CassandraExploiting hotel Cassandra
Exploiting hotel CassandraING-IT
 
Scalable Angular 2 Application Architecture
Scalable Angular 2 Application ArchitectureScalable Angular 2 Application Architecture
Scalable Angular 2 Application ArchitectureFDConf
 
Elastic{on} - Tracking of events within ING
Elastic{on} - Tracking of events within INGElastic{on} - Tracking of events within ING
Elastic{on} - Tracking of events within INGING-IT
 
DOES16 London - Ron van Kemenade - Nothing Beats Engineering Talent…The Agile...
DOES16 London - Ron van Kemenade - Nothing Beats Engineering Talent…The Agile...DOES16 London - Ron van Kemenade - Nothing Beats Engineering Talent…The Agile...
DOES16 London - Ron van Kemenade - Nothing Beats Engineering Talent…The Agile...Gene Kim
 
ITIL and DEVOPS can be friends
ITIL and DEVOPS can be friendsITIL and DEVOPS can be friends
ITIL and DEVOPS can be friendsING-IT
 
Scalable Web Architecture and Distributed Systems
Scalable Web Architecture and Distributed SystemsScalable Web Architecture and Distributed Systems
Scalable Web Architecture and Distributed Systemshyun soomyung
 
Continuous Delivery - The ING Story: Improving time to market with DevOps and...
Continuous Delivery - The ING Story: Improving time to market with DevOps and...Continuous Delivery - The ING Story: Improving time to market with DevOps and...
Continuous Delivery - The ING Story: Improving time to market with DevOps and...CA Technologies
 

Viewers also liked (10)

Knowledge share about scalable application architecture
Knowledge share about scalable application architectureKnowledge share about scalable application architecture
Knowledge share about scalable application architecture
 
Introducing Scala in your existing Java project
Introducing Scala in your existing Java projectIntroducing Scala in your existing Java project
Introducing Scala in your existing Java project
 
Exploiting hotel Cassandra
Exploiting hotel CassandraExploiting hotel Cassandra
Exploiting hotel Cassandra
 
Scalable Angular 2 Application Architecture
Scalable Angular 2 Application ArchitectureScalable Angular 2 Application Architecture
Scalable Angular 2 Application Architecture
 
Scalable Web Architecture
Scalable Web ArchitectureScalable Web Architecture
Scalable Web Architecture
 
Elastic{on} - Tracking of events within ING
Elastic{on} - Tracking of events within INGElastic{on} - Tracking of events within ING
Elastic{on} - Tracking of events within ING
 
DOES16 London - Ron van Kemenade - Nothing Beats Engineering Talent…The Agile...
DOES16 London - Ron van Kemenade - Nothing Beats Engineering Talent…The Agile...DOES16 London - Ron van Kemenade - Nothing Beats Engineering Talent…The Agile...
DOES16 London - Ron van Kemenade - Nothing Beats Engineering Talent…The Agile...
 
ITIL and DEVOPS can be friends
ITIL and DEVOPS can be friendsITIL and DEVOPS can be friends
ITIL and DEVOPS can be friends
 
Scalable Web Architecture and Distributed Systems
Scalable Web Architecture and Distributed SystemsScalable Web Architecture and Distributed Systems
Scalable Web Architecture and Distributed Systems
 
Continuous Delivery - The ING Story: Improving time to market with DevOps and...
Continuous Delivery - The ING Story: Improving time to market with DevOps and...Continuous Delivery - The ING Story: Improving time to market with DevOps and...
Continuous Delivery - The ING Story: Improving time to market with DevOps and...
 

Similar to Transformation to a scalable architecture at ING

Datastax ING Big Data Expo
Datastax ING Big Data ExpoDatastax ING Big Data Expo
Datastax ING Big Data ExpoBigDataExpo
 
Autoscaling: From zero to production seamlessly
Autoscaling: From zero to production seamlesslyAutoscaling: From zero to production seamlessly
Autoscaling: From zero to production seamlesslyElasticsearch
 
Elastic Observability keynote
Elastic Observability keynoteElastic Observability keynote
Elastic Observability keynoteElasticsearch
 
Why you should use Elastic for infrastructure metrics
Why you should use Elastic for infrastructure metricsWhy you should use Elastic for infrastructure metrics
Why you should use Elastic for infrastructure metricsElasticsearch
 
intel Presentation 2008
intel Presentation 2008intel Presentation 2008
intel Presentation 2008finance6
 
Realizing your AIOps goals with machine learning in Elastic
Realizing your AIOps goals with machine learning in ElasticRealizing your AIOps goals with machine learning in Elastic
Realizing your AIOps goals with machine learning in ElasticElasticsearch
 
Mappy hour: Uncovering insights with Elastic Maps and location data
Mappy hour: Uncovering insights with Elastic Maps and location dataMappy hour: Uncovering insights with Elastic Maps and location data
Mappy hour: Uncovering insights with Elastic Maps and location dataElasticsearch
 
Security analytics with Elastic at Square Enix
Security analytics with Elastic at Square EnixSecurity analytics with Elastic at Square Enix
Security analytics with Elastic at Square EnixElasticsearch
 
Ceph Day Shanghai - VSM (Virtual Storage Manager) - Simplify Ceph Management ...
Ceph Day Shanghai - VSM (Virtual Storage Manager) - Simplify Ceph Management ...Ceph Day Shanghai - VSM (Virtual Storage Manager) - Simplify Ceph Management ...
Ceph Day Shanghai - VSM (Virtual Storage Manager) - Simplify Ceph Management ...Ceph Community
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile appsMartin Vigo
 
There and Back again, ING's Cassandra Tale (Christopher Reedijk, Gary Stewart...
There and Back again, ING's Cassandra Tale (Christopher Reedijk, Gary Stewart...There and Back again, ING's Cassandra Tale (Christopher Reedijk, Gary Stewart...
There and Back again, ING's Cassandra Tale (Christopher Reedijk, Gary Stewart...DataStax
 
Centralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLACentralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLAElasticsearch
 
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...apidays
 
Shareholder meeting-2013-slides
Shareholder meeting-2013-slidesShareholder meeting-2013-slides
Shareholder meeting-2013-slidesInvestorOracle
 
Samsung Analyst Day 2013: Ceo oh hyun kwon-driving innovation towards a smart...
Samsung Analyst Day 2013: Ceo oh hyun kwon-driving innovation towards a smart...Samsung Analyst Day 2013: Ceo oh hyun kwon-driving innovation towards a smart...
Samsung Analyst Day 2013: Ceo oh hyun kwon-driving innovation towards a smart...Vasilis Ananiadis
 
Managing the Elastic Stack at Scale
Managing the Elastic Stack at ScaleManaging the Elastic Stack at Scale
Managing the Elastic Stack at ScaleElasticsearch
 
Public sector keynote
Public sector keynotePublic sector keynote
Public sector keynoteElasticsearch
 
Elastic, DevSecOps, and the DOD software factory
Elastic, DevSecOps, and the DOD software factoryElastic, DevSecOps, and the DOD software factory
Elastic, DevSecOps, and the DOD software factoryElasticsearch
 
One agent, one click, and the future of data ingest with Elastic
One agent, one click, and the future of data ingest with ElasticOne agent, one click, and the future of data ingest with Elastic
One agent, one click, and the future of data ingest with ElasticElasticsearch
 

Similar to Transformation to a scalable architecture at ING (20)

Datastax ING Big Data Expo
Datastax ING Big Data ExpoDatastax ING Big Data Expo
Datastax ING Big Data Expo
 
Autoscaling: From zero to production seamlessly
Autoscaling: From zero to production seamlesslyAutoscaling: From zero to production seamlessly
Autoscaling: From zero to production seamlessly
 
Elastic Observability keynote
Elastic Observability keynoteElastic Observability keynote
Elastic Observability keynote
 
Why you should use Elastic for infrastructure metrics
Why you should use Elastic for infrastructure metricsWhy you should use Elastic for infrastructure metrics
Why you should use Elastic for infrastructure metrics
 
intel Presentation 2008
intel Presentation 2008intel Presentation 2008
intel Presentation 2008
 
Realizing your AIOps goals with machine learning in Elastic
Realizing your AIOps goals with machine learning in ElasticRealizing your AIOps goals with machine learning in Elastic
Realizing your AIOps goals with machine learning in Elastic
 
Mappy hour: Uncovering insights with Elastic Maps and location data
Mappy hour: Uncovering insights with Elastic Maps and location dataMappy hour: Uncovering insights with Elastic Maps and location data
Mappy hour: Uncovering insights with Elastic Maps and location data
 
Security analytics with Elastic at Square Enix
Security analytics with Elastic at Square EnixSecurity analytics with Elastic at Square Enix
Security analytics with Elastic at Square Enix
 
Ceph Day Shanghai - VSM (Virtual Storage Manager) - Simplify Ceph Management ...
Ceph Day Shanghai - VSM (Virtual Storage Manager) - Simplify Ceph Management ...Ceph Day Shanghai - VSM (Virtual Storage Manager) - Simplify Ceph Management ...
Ceph Day Shanghai - VSM (Virtual Storage Manager) - Simplify Ceph Management ...
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile apps
 
There and Back again, ING's Cassandra Tale (Christopher Reedijk, Gary Stewart...
There and Back again, ING's Cassandra Tale (Christopher Reedijk, Gary Stewart...There and Back again, ING's Cassandra Tale (Christopher Reedijk, Gary Stewart...
There and Back again, ING's Cassandra Tale (Christopher Reedijk, Gary Stewart...
 
Centralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLACentralized logging in a changing environment at the UK’s DVLA
Centralized logging in a changing environment at the UK’s DVLA
 
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...
 
Shareholder meeting-2013-slides
Shareholder meeting-2013-slidesShareholder meeting-2013-slides
Shareholder meeting-2013-slides
 
Samsung Analyst Day 2013: Ceo oh hyun kwon-driving innovation towards a smart...
Samsung Analyst Day 2013: Ceo oh hyun kwon-driving innovation towards a smart...Samsung Analyst Day 2013: Ceo oh hyun kwon-driving innovation towards a smart...
Samsung Analyst Day 2013: Ceo oh hyun kwon-driving innovation towards a smart...
 
03 icld
03 icld03 icld
03 icld
 
Managing the Elastic Stack at Scale
Managing the Elastic Stack at ScaleManaging the Elastic Stack at Scale
Managing the Elastic Stack at Scale
 
Public sector keynote
Public sector keynotePublic sector keynote
Public sector keynote
 
Elastic, DevSecOps, and the DOD software factory
Elastic, DevSecOps, and the DOD software factoryElastic, DevSecOps, and the DOD software factory
Elastic, DevSecOps, and the DOD software factory
 
One agent, one click, and the future of data ingest with Elastic
One agent, one click, and the future of data ingest with ElasticOne agent, one click, and the future of data ingest with Elastic
One agent, one click, and the future of data ingest with Elastic
 

Recently uploaded

Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 

Recently uploaded (20)

Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 

Transformation to a scalable architecture at ING

  • 1. Transformation to a scalable architecture at ING Preparing for the tomorrow
  • 2. Let me introduce myself • Youssef Oujamaa • Software Engineer • Full-Stack: Java SE/EE, JavaScript, AngularJS
  • 3. What’s the goal here? • Share knowledge on the changing landscape • Involve the security community
  • 4. So what’s the content? • Omni-channel • Microservices Architecture • Securing web service APIs Questions are welcome at any moment!
  • 5. What is this Omni-channel thing? The purpose is a single-user experience across devices and channels.
  • 6.
  • 7. Microservices Architecture /login/ /transfer/ /create/ Hardware X Hardware X Hardware X Hardware X Hardware X Hardware X Hardware X Hardware X Hardware X RESTful APIs on which you can perform GET / POST / PUT / DELETE Stateless nature allows scaling All Devices
  • 8. Reading material • More details on • Layered Architecture • Event-Driven Architecture • Microkernel Architecture • Microservices Architecture Pattern • Space-Based Architecture • It’s free! http://goo.gl/c7RIhR
  • 9. So what about security? • Cross-Site Request Forgery – Secure APIs against cross-site requests • JSON Hijacking – Browsers allow resources to be retrieved cross- domain with GET (seriously why?) • Input Validation – Never trust client supplied data
  • 10. Cross-Site Request Forgery • Never allow GET to modify data • Ok, let’s only use POST? – Still exploitable, a custom form on a malicious website can be posted without user interaction. • Secure by user-secret only accessible by current domain and current page. – Example: https://www.owasp.org/index.php/Anti_CSRF_Tokens_ASP.NET
  • 11. JSON Hijacking <script src="https://microsoft.com/api/user/details"> </script> • Browsers will always perform a GET on the resource. • Counter-measures • Disallow arrays • Older version of Chrome / FireFox / IE allowed you override the JavaScript Array constructor • The JavaScript interpreter in IE 7/8 would give a syntax error with details of the content • Disallow JSONP • Don’t return this a_function_name({['data', ‘can be', ‘stolen']}); • Pre-fix JSON data with broken JavaScript • Gmail uses while(1); on the first line
  • 12. Input Validation • Data – Re-check everything – every call • Injection – Use secure frameworks to map JSON to objects • This basically means don’t write your own unless you have a really good reason to. – Just like SQL and XML injections take counter measures against JSON injections
  • 14. Disclaimer ING Group’s Annual Accounts are prepared in accordance with International Financial Reporting Standards as adopted by the European Union (‘IFRS-EU’). In preparing the financial information in this document, the same accounting principles are applied as in the 2014 ING Group Annual Accounts. All figures in this document are unaudited. Small differences are possible in the tables due to rounding. Certain of the statements contained herein are not historical facts, including, without limitation, certain statements made of future expectations and other forward-looking statements that are based on management’s current views and assumptions and involve known and unknown risks and uncertainties that could cause actual results, performance or events to differ materially from those expressed or implied in such statements. Actual results, performance or events may differ materially from those in such statements due to, without limitation: (1) changes in general economic conditions, in particular economic conditions in ING’s core markets, (2) changes in performance of financial markets, including developing markets, (3) consequences of a potential (partial) break-up of the euro, (4) the implementation of ING’s restructuring plan to separate banking and insurance operations, (5) changes in the availability of, and costs associated with, sources of liquidity such as interbank funding, as well as conditions in the credit markets generally, including changes in borrower and counterparty creditworthiness, (6) the frequency and severity of insured loss events, (7) changes affecting mortality and morbidity levels and trends,(8) changes affecting persistency levels, (9) changes affecting interest rate levels, (10) changes affecting currency exchange rates, (11) changes in investor, customer and policyholder behaviour, (12) changes in general competitive factors, (13) changes in laws and regulations, (14) changes in the policies of governments and/or regulatory authorities, (15) conclusions with regard to purchase accounting assumptions and methodologies, (16) changes in ownership that could affect the future availability to us of net operating loss, net capital and built-in loss carry forwards, (17) changes in credit ratings, (18) ING’s ability to achieve projected operational synergies and (19) the other risks and uncertainties detailed in the Risk Factors section contained in the most recent annual report of ING Groep N.V. Any forward-looking statements made by or on behalf of ING speak only as of the date they are made, and, ING assumes no obligation to publicly update or revise any forward-looking statements, whether as a result of new information or for any other reason. This document does not constitute an offer to sell, or a solicitation of an offer to purchase, any securities in the United States or any other jurisdiction. The securities of NN Group have not been and will not be registered under the U.S. Securities Act of 1933, as amended (the “Securities Act”), and may not be offered or sold within the United States absent registration or an applicable exemption from the registration requirements of the Securities Act. www.ing.com