Velocity Conference 2015 What is Velocity all about? What did I learn? Service Workers: The Practical Bits by Patrick Meenan (Google) @patmeenan http://www.slideshare.net/patrickmeenan/service-workers-for-performance mentor telling you what not to worry about  Perf events mixed mode can show stack traces of both Java and native system calls Continuous Delivery in Financial Training by David Genn (IG) @david_genn Monitoring: more valuable than any other metric  Web Performance: 2 seconds is the magic number Whom did I meet?Attributions and References [1] Speaker Slides and Videos: http://velocityconf.com/devops-web

Predictably Irrational – The Hidden Forces That Shape Our Decisions By Dan Ariely “If I were to distill one main lesson from the research described in this book, it is that we are pawns in a game whose Is Relative – Even When It Shouldn’t Be  Examples: House Shopping, Vacations,  Observations: o “humans rarely choose things in absolute terms. We don’t have an internal value meter that tells us Rather, we focus on the relative advantage of one thing over another, and estimate value accordingly” o “we not only tend to compare things with one another but also tend to focus on comparing things that

⽬标所⽤ Waf 种类识别 与 绕过 BypassWAF ⽂件上传 / 读取 / 下载 BypassWAF Sql注⼊ BypassWAF RCE BypassWAF 各类Java Web中间件已知Nday漏洞利⽤ BypassWAF Webshell 免杀 其它更多 待补充修 其它更多 , 待补充修正... 0x02 ⼊⼝权限获取 [外部防御重⼼ 故,仅仅只挑选了⼀些相对会经常遇到的,且实战中确实能有效协助快速getshell 的 "中间件" , "开源程序" 及 "web组件" 针对各类 Java 中间件的各种已知 Nday 漏洞利⽤ 不同于其它脚本类web程序,Java的运⾏权限通常都⽐较⾼,甚⾄⼤部分都是直接⽤root/administrator/system 权限在跑 所以拿到的shell权限⼀般也⾮常⾼,通常都直接是服务器权限 未授权访问,敏感信息泄露 RabbitMQ 弱⼝令 Glassfish 任意⽂件读取 [ 低版本 ] 控制台弱⼝令,部署webshell IBM Websphere Java 反序列化 控制台弱⼝令,部署webshell Axis2 任意⽂件读取 ⽬录遍历 Apache ActiveMQ 未授权访问,5.12 之前的版本 fileserver存在

i Approved for Public Release; Distribution Unlimited. 14-0391ii Executive Summary The Department of Defense (DoD) needs an acquisition framework for information technology (IT) that sjchang@mitre.org. Pete Modigliani and Su Chang The MITRE Corporationiv Table of Contents I. Introduction ..................................................................................... Deborah Basilis  Erin Schultz  Margaret MacDonald  Nadine Tronick  Mike Janiga1 I. Introduction 1 Purpose The DoD needs an acquisition framework for IT that can keep pace with rapidly

make detailed plans beyond a program’s ability to control or accurately predict future circumstances o Agile methodology does not force programs to establish their full scope, requirements, and design at define the desired system functions and provide the foundation for Agile estimation and planning. o They describe what the users want to accomplish with the resulting system. User stories help ensure requirements than large requirements documents.  DON’T treat planning as a one-time up front activity o In lieu of CDDs and CPDs, programs can develop Requirements Definition Packages (RDPs) to capture a

Way – The Technical Practices of Feedback 1. Introduction a. Goal – Implement fast feedback loops i. Enable working towards shared goals ii. See problems as they occur iii. Enable quick detection & Create Telemetry to Enable Seeing and Solving Problems a. Fact – Things will go wrong in Operations! i. 2001 Microsoft Operation Framework study found the best-performing organization were better at diagnosing performers had MTTR 168x faster than low performers b. CREATE OUR CENTRALIZED TELEMETRY INFRASTRUCTURE i. Remove the silos of information – Developers don’t just log what’s interesting to development. Operations

a. Goal – practices to enable learning as quickly, frequently, cheaply, and as soon as possible i. Institutionalize rituals to increase safety, continuous improvement, and learning ii. Create mechanism and Inject Learning into Daily Work a. Complex systems are impossible to predict for all outcomes i. Dr. Steven Spear - resilient organizations are “skilled at detecting problems, solving them, and multiplying architected for failure, tested for failure, and evolved beyond it b. ESTABLISH A JUST, LEARNING CULTURE i. Unjust responses to incidents 1. Impede safety 2. Promote fear over mindfulness 3. Create bureaucracy

Foreword xix 3. Imagine a World Where Dev and Ops Become DevOps: a. THE CORE, CHRONIC CONFLICT i. Among them are the two following goals, which must be pursued simultaneously: 1. Respond to the rapidly 2. Provide stable, reliable, and secure service to the customer b. THE BUSINESS VALUE OF DEVOPS i. Code and change deployments (thirty times more frequent) ii. Code and change deployment lead time service (168 times faster) 4. An Introduction to The DevOps Handbook xxi 5. PART I—THE THREE WAYS 1 a. Introduction i. THE LEAN MOVEMENT 1. manufacturing lead time required to convert raw materials

1. Introduction a. Goal – Enable & sustain fast flow of work by implementing continuous delivery i. Create the foundation of our deployment pipeline ii. Enabling fast & reliable automated testing iii reduced from 8 weeks to 1 day b. ENABLE ON-DEMAND CREATION OF DEV, TEST, AND PRODUCTION ENVRIONMENTS i. Major contributing cause of issues stems from releases representing the first time we see how an application stable, reliable, consistent, & secure c. CREATE OUR SINGLE REPOSITORY OF TRUTH FOR THE ENTIRE SYSTEM i. ALL parts (code & environments) of the system are shared in a version control repository ii. Version

hard-working government employees, so resilient in the face of impediments, criticism, and abuse. I have so much fun working alongside you.” – Mark Schwartz Last Time in Part One Planning: The idea find something that is a near fit, and then deal with the question of whether it is a near enough fit.I don’t mean that standards are bad. Let’s just agree that they might be overrated. A Better Way – Treat future revenues and reduce future costs—that is, an asset in the classic economic sense. This asset I will refer to as the EA, which could just as well stand for Economic Asset.  The EA has intangible