Building Secure By Default Nodejs Applications

Nov 1, 2018Download as pptx, pdf

0 likes102 views

This presentation describes the process to build secure-by-default nodejs applications using a nodejs application called _spartan

@darkmsph1t
o n e s i z e f i t s m e
BUILDING SECURE-BY-DEFAULT NODEJS
APPLICATIONS
yolonda smith
AKA: What I did this summer while all the other kids were outside playing

@darkmsph1t
the common refrain
“That’s handled somewhere
else
[downstream/upstream/some
other made up place]”
“Is this really that big of a
problem? What’s the
likelihood that anyone will
ever find this?”
“Where does it say we have
to do that?”

@darkmsph1t
t h e c h a l l e n g e
CAN I FOLLOW MY OWN ADVICE?

@darkmsph1t
rules of engagement
1. Assume limited-knowledge or background in security
2. Tech stack used should offer (relatively) low barrier to entry and yet…
• Widely used in production environment I’m familiar with
3. Final application must implement security guidance from a well-known
framework (e.g. NIST, OWASP)

@darkmsph1t
key requirements
build “security” in from the very
beginning
contextualized to application
flexible enough to adjust to app
changes
cover all the bases
provide everything needed to build
an application which is ‘secure by
default’

@darkmsph1t
___ ___ _ ___ _____ _ _ _
/ __| | _ /_ |_ |_ _| /_ | | |
___ __ | _/ / _ | / | | / _ | .` |
|___| |___/ |_ | /_/ _ |_ |_ |_| /_ / _ |_ | _|
IN T R ODUCING

@darkmsph1t
what is it?
• node app deployed as an npm cli module
• Delivers policy (security.json) & boilerplate code/middleware for immediate use
• Built-in support:
• Redis
• MongoDB
• Firebase && local authentication
• Synk => application dependency vulnerabilities
• mocha-chai => unit testing
• Coveralls => test coverage
• TravisCI-ready

@darkmsph1t
concept of operations
CACHE
DATABASE
SESSIONS
SECURITY HEADERS
FORMS
CONNECTION
SECRETS
CLIENT
ACCESS CONTROL
CSP
CACHE
CORS
APP DEPENDENCIES

@darkmsph1t
• Shouldn’t need domain expertise needed to get basics done
• Security things for other security people
• Security with the application not around the application

@darkmsph1t
d e m o n s t r a t i o n
YOU CAN PLAY TOO!
node npm git* Your fave text editor/IDEterminal

@darkmsph1t
npm init -y
Optional : git init

@darkmsph1t
npm install -g spartan-shield
yarn add spartan-shield

@darkmsph1t
p r a c t i c a l e x a m p l e
NEUTRALIZING DIGITAL SKIMMERS WITH _SPARTAN

@darkmsph1t
what are the options?
1. JSONP…please, God, no…
2. Regenerate js for every page load
• Shorten cache period
3. Minimize the amount of 3P javascript running
on sensitive pages
4. Limit the context where 3P javascript can run
(e.g. sandbox) and what permissions it has
(CORS)
5. Track changes in javascript that we do allow
• Make sure we know when failures occur

@darkmsph1t
what did we get done?
CACHE
SESSIONS
SECURITY HEADERS
FORMS
CONNECTION
SECRETS
CLIENT
ACCESS CONTROL
CSP
CACHE
CORS
APP DEPENDENCIES
DATABASE

@darkmsph1t
what’s next?
1. (More) testing, refactor & documentation
2. Desktop (Electron) app && REST API
3. Introduction of audit through RBAC
• Track policy changes
• Very basic fuzzing & code-audit
4. Port boilerplate to other languages
• GO, Spring, Ruby top priorities

@darkmsph1t
unsolicited advice
1. DO know what you have, understand its
value and watch it
a. This includes infrastructure
2. DON’T rely on the pen-test to catch all of
the security issues
3. DO devote at least one sprint/epic on
secure design & code review
4. DO make sure that you have a means of
detecting attempts to circumvent your
controls

@darkmsph1t
o n e s i z e f i t s m e
BUILDING SECURE-BY-DEFAULT NODEJS
APPLICATIONS
@darkmsph1t darkmsph1t.github.io darkmsph1t@gmail.com

@darkmsph1t
• All things skimmer:
• https://otx.alienvault.com/pulse/5ba3c739f1b1ed67ed7764c1
• https://gwillem.gitlab.io/tag/skimming/
• https://gwillem.gitlab.io/2018/09/18/abs-cbn.com-hacked/
resources & references

The document discusses embracing failures in software and systems. It recommends monitoring for failures, conducting blameless postmortem analyses to determine root causes, simulating failures through "gameday" exercises before they occur, and designing systems using a "SafeMachine" approach to make failures safe rather than unsafe. The key ideas are to understand failures will happen, learn from them through root cause analysis and prevention practices, and design systems that can fail safely.

Nagios Conference 2014 - Gerald Combs - A Trillion TruthsNagios

Be Bop7CoVideo Systems

This document discusses common myths about using video marketing. It begins by introducing the topic of "Busting The 5 Biggest Video Myths". It then lists the five myths: 1) You need expensive equipment to create videos, 2) People are afraid they won't look good on camera, 3) They don't know what to say in a video, 4) Video production is too complicated, and 5) They don't know how to distribute finished videos. For each myth, the document plans to provide examples to illustrate why the myth is not true. It concludes by inviting questions from the audience.

Building a secure BFF at PostmanAnkit Muchhala

The document discusses building a secure backend for frontend (BFF) and outlines various security considerations and best practices. It notes that a BFF is a single point of failure and attack as a public-facing service. It recommends implementing validation, the principle of least privilege, request tagging, access control, content security, audits, and health checks to achieve confidentiality, integrity and availability. Some specific techniques mentioned include input validation, logging sensitive data, enforcing secure dependencies, and integrating security tests into the development lifecycle.

Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin

How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon

Building Self-Defending Applications With OWASP AppSensor JavaOne 2016jtmelton

AppSensor is an OWASP project that enables you to build self-defending applications with attacker detection and automated response capabilities. There are many security protections available to applications today. AppSensor builds on these by providing a mechanism that enables architects and developers to build into their applications a way to detect events and attacks and then automatically respond to them.

SecDevOps for API Security42Crunch

Enterprise Node - Securing Your EnvironmentKurtis Kemple

This document discusses securing an enterprise Node.js environment. It recommends using Node LTS versions for stability, containerizing applications for isolation, and securing dependencies by whitelisting modules. It also covers authenticating users with JWT, authorizing access with scopes and roles, validating input data, encrypting sensitive data, and ensuring HTTPS is used everywhere. Securing the runtime is important to protect the company from threats, improve confidence, and meet regulations.

AppSensor CodeMash 2017jtmelton

Serverless Security Guy Podjarny Liran Talxenikwit30

How to Build Secure APIs with Node.js for Remote Applications.pptGraffersID

AppSensor Near Real-Time Event Detection and Response - DevNexus 2016jtmelton

AppSensor is an OWASP project that defines a conceptual framework, methodology, guidance and reference implementation to design and deploy malicious behavior detection and automated responses directly within software applications. There are many security protections available to applications today. AppSensor builds on these by providing a mechanism that allows architects and developers to build into their applications a way to detect events and attacks, then automatically respond to them. Not only can this stop and/or reduce the impact of an attack, it gives you incredibly valuable visibility and security intelligence about the operational state of your applications.

Including security in devopsJérémy Matos

This document discusses including security in DevOps initiatives. It recommends integrating security tools and practices into the software development lifecycle (SDLC) to build security in from the start. This includes running automated vulnerability scanning tools like ZAP and sqlmap in CI/CD pipelines. It also recommends code reviews, security testing, environment hardening, and keeping dependencies up-to-date. The goal is to shift security left and automate security practices to continuously test and deploy more secure software.

Shields Up! Securing React AppsZachary Klein

A single-page application means putting a lot of traditionally server-side internals in the great unknown of a client's browser. The move of data and logic towards frontend requires a different model for application security. In addition to old foes like cross-site scripting, we now have to consider concepts like local storage, routing, JWTs and OAuth2 frameworks, and understand their implications in locking down our apps. Let's clear up the confusion and zero in on thew approaches and techniques you need to secure your React app. We'll examine several layers of security relevant to React apps, including UI-level security (preventing XSS attacks and securing routes with React Router and Higher-Order Components), and API security using JWTs and third-party authentication-providers.

Secure Coding for NodeJSThang Chung

This document provides an overview of secure coding practices for Node.js applications. It discusses common vulnerabilities like injection, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, lack of access controls, CSRF, use of vulnerable components, and unvalidated redirects. For each issue, it provides examples of insecure code and suggestions for more secure implementations using input validation, encryption, access control checks, HTTPS, CSRF tokens, and other best practices. It also lists some useful security tools and resources for Node.js applications.

Stop expecting magic fairy dust: Make apps secure by designPatrick Walsh

Software developers are screwing up the digital world. Security is often an afterthought, or worse, the job of I.T., who is expected to sprinkle magic fairy dust on an app that magically makes it secure. That's an impossible ask and forces a perimeter-based security model that cannot succeed alone in a world of cloud apps, mobile devices, and distributed data. Developers must embrace security by design principles and fundamentally shift their attitude about who is responsible for security.

A Complete Guide to Node.js Authentication and SecurityNaresh IT

Node.Js has emerge as one of the most famous systems for constructing server-facet programs, specifically because of its speed, scalability, and performance in managing asynchronous operations. When developing applications, however, it’s critical to take into account robust authentication and protection practices to guard consumer records and preserve utility integrity. In this text, we’ll explore great practices for authentication and safety in Node.Js, assisting developers layout stable and dependable packages.

How to Build a Fortress with the Security of a Tent - Jacob Ideskog, CurityNordic APIs

A presentation given by Jacob Ideskog, CTO at Curity, at our 2024 Platform Summit, October 8-9. In this talk, Jacob Ideskog will present the bigger picture, whether you like it or not. Securing platforms is a massive task, where both the details and the big picture matter. We can rely on security standards such as OAuth and OpenID Connect, but if we don’t use the right tool for the right task, security is merely a hope. So it’s time to present the right tools, for the right task and hopefully change hope into action.

AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern

With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.

AllDayDevOps 2019 AppSensorjtmelton

Modern applications can protect themselves from attackers by incorporating runtime monitoring capabilities. The OWASP AppSensor project aims to make intrusion detection primitives available within applications so they can detect attacks and automatically respond before an attacker succeeds. It works by collecting event data from applications and analyzing them for attacks using configurable rules. This allows applications to become self-defending by detecting and stopping attackers without needing manual responses.

How npm is making JavaScript safe for everyoneDaniel Sauble

This document discusses making JavaScript safe for everyone. It provides an overview of open source software (OSS) and software supply chains, and how their large surface areas create security risks. It notes that traditional security approaches are often portrayed as impediments and are ineffective. The document advocates for a "new" security approach called DevSecOps that embeds security teams in developer teams. It also discusses automation of security processes using free tools. Finally, it announces that npm is building a Security Insights API to publish security data publicly and help the community and npm's security team be more effective.

Proactive Security AppSec Case StudyAndy Hoernecke

Designing Secure APIsSteven Chen

APIs are the building blocks of interoperability on the web and are a key component of scalable and successful technology companies. As externally-consumable APIs expose more information and functionality, ensuring privacy and security of customer data is an increasingly risky proposition. In this session, we’ll talk about some of Slack’s learnings around building Developer APIs and best practices for keeping your APIs safe. Slides originally for a presentation at the Rocky Mountain Technology Summit. Slightly reduced content.

Snyk Intro - Developer Security Essentials 2022Liran Tal

Overwhelmed with security issues in your Node.js applications? Not entirely sure how to write secure code? Join us in this workshop where you’ll learn how to improve security without being a security professional. We’ll use Snyk Code’s VS Code extension to catch and find security issues while you code, automatically fix security issues in your open source libraries, and see first-hand how to weaponize vulnerabilities to exploit working Node.js applications. You will also learn about the multiple ways of using Snyk to secure your projects, from the CLI, to CI/CD pipelines with GitHub Actions, and extend your know from secure code and secure dependencies to that of building secure containers to your Node.js apps on Docker.

Effective approaches to web application security Zane Lackey

The document discusses effective approaches to web application security. It emphasizes techniques that are simple yet effective, such as making things safe by default through early encoding of dangerous HTML characters. It also stresses focusing security efforts by automatically detecting changes to sensitive code and functionality through hashing and alerts, in order to quickly review any newly introduced risks from continuous deployment.

12 best Node.js security practices in 2024russellpitt93

How Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdfRejig Digital

Unlock the future of oil & gas safety with advanced environmental detection technologies that transform hazard monitoring and risk management. This presentation explores cutting-edge innovations that enhance workplace safety, protect critical assets, and ensure regulatory compliance in high-risk environments. 🔍 What You’ll Learn: ✅ How advanced sensors detect environmental threats in real-time for proactive hazard prevention 🔧 Integration of IoT and AI to enable rapid response and minimize incident impact 📡 Enhancing workforce protection through continuous monitoring and data-driven safety protocols 💡 Case studies highlighting successful deployment of environmental detection systems in oil & gas operations Ideal for safety managers, operations leaders, and technology innovators in the oil & gas industry, this presentation offers practical insights and strategies to revolutionize safety standards and boost operational resilience. 👉 Learn more: https://www.rejigdigital.com/blog/continuous-monitoring-prevent-blowouts-well-control-issues/

“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...Edge AI and Vision Alliance

For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2025/06/state-space-models-vs-transformers-for-ultra-low-power-edge-ai-a-presentation-from-brainchip/ Tony Lewis, Chief Technology Officer at BrainChip, presents the “State-space Models vs. Transformers for Ultra-low-power Edge AI” tutorial at the May 2025 Embedded Vision Summit. At the embedded edge, choices of language model architectures have profound implications on the ability to meet demanding performance, latency and energy efficiency requirements. In this presentation, Lewis contrasts state-space models (SSMs) with transformers for use in this constrained regime. While transformers rely on a read-write key-value cache, SSMs can be constructed as read-only architectures, enabling the use of novel memory types and reducing power consumption. Furthermore, SSMs require significantly fewer multiply-accumulate units—drastically reducing compute energy and chip area. New techniques enable distillation-based migration from transformer models such as Llama to SSMs without major performance loss. In latency-sensitive applications, techniques such as precomputing input sequences allow SSMs to achieve sub-100 ms time-to-first-token, enabling real-time interactivity. Lewis presents a detailed side-by-side comparison of these architectures, outlining their trade-offs and opportunities at the extreme edge.

More Related Content

Similar to Building Secure By Default Nodejs Applications (20)

SecDevOps for API Security42Crunch

Enterprise Node - Securing Your EnvironmentKurtis Kemple

AppSensor CodeMash 2017jtmelton

Serverless Security Guy Podjarny Liran Talxenikwit30

How to Build Secure APIs with Node.js for Remote Applications.pptGraffersID

AppSensor Near Real-Time Event Detection and Response - DevNexus 2016jtmelton

Including security in devopsJérémy Matos

Shields Up! Securing React AppsZachary Klein

Secure Coding for NodeJSThang Chung

Stop expecting magic fairy dust: Make apps secure by designPatrick Walsh

A Complete Guide to Node.js Authentication and SecurityNaresh IT

How to Build a Fortress with the Security of a Tent - Jacob Ideskog, CurityNordic APIs

AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern

AllDayDevOps 2019 AppSensorjtmelton

How npm is making JavaScript safe for everyoneDaniel Sauble

Proactive Security AppSec Case StudyAndy Hoernecke

Designing Secure APIsSteven Chen

Snyk Intro - Developer Security Essentials 2022Liran Tal

Effective approaches to web application security Zane Lackey

12 best Node.js security practices in 2024russellpitt93

SecDevOps for API Security42Crunch

Enterprise Node - Securing Your EnvironmentKurtis Kemple

AppSensor CodeMash 2017jtmelton

Serverless Security Guy Podjarny Liran Talxenikwit30

How to Build Secure APIs with Node.js for Remote Applications.pptGraffersID

AppSensor Near Real-Time Event Detection and Response - DevNexus 2016jtmelton

Including security in devopsJérémy Matos

Shields Up! Securing React AppsZachary Klein

Secure Coding for NodeJSThang Chung

Stop expecting magic fairy dust: Make apps secure by designPatrick Walsh

A Complete Guide to Node.js Authentication and SecurityNaresh IT

How to Build a Fortress with the Security of a Tent - Jacob Ideskog, CurityNordic APIs

AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern

AllDayDevOps 2019 AppSensorjtmelton

How npm is making JavaScript safe for everyoneDaniel Sauble

Proactive Security AppSec Case StudyAndy Hoernecke

Designing Secure APIsSteven Chen

Snyk Intro - Developer Security Essentials 2022Liran Tal

Effective approaches to web application security Zane Lackey

12 best Node.js security practices in 2024russellpitt93

Recently uploaded (20)

How Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdfRejig Digital

“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...Edge AI and Vision Alliance

TimeSeries Machine Learning - PyData London 2025Suyash Joshi

MCP vs A2A vs ACP: Choosing the Right Protocol | BluebashBluebash

GIS and FME: The Foundation to Improve the Locate Process of UtilitiesSafe Software

Locate requests is an important activity for utility companies to prevent people who are digging from damaging underground assets. At Energir, locates were historically treated by our internal field technicians. It’s a very intensive and time-sensitive task during the summer season and it has a significant financial and environmental cost. Since locate requests tend to increase from year to year, it became clear that improvements were needed to keep delivering a quality service to requestors and keeping Energir’s assets safe. This presentation will explain how transformative projects done in the past years allowed to start sending locate plans to requestors without the intervention of field technicians. The analysis of the GIS data through FME workbenchs allows to filter some locate request types and process them semi-automatically. However, the experience gained so far shows that this process is limited by the fact that Energir’s is missing precise information about the spatial accuracy. Future plans are to precisely locate most of Energir’s gas network and FME will again be a huge help to integrate all the data that will be produced.

Dancing with AI - A Developer's Journey.pptxElliott Richmond

In this talk, Elliott explores how developers can embrace AI not as a threat, but as a collaborative partner. We’ll examine the shift from routine coding to creative leadership, highlighting the new developer superpowers of vision, integration, and innovation. We'll touch on security, legacy code, and the future of democratized development. Whether you're AI-curious or already a prompt engineering, this session will help you find your rhythm in the new dance of modern development.

Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...Anish Kumar

Presented by: Anish Kumar LinkedIn: https://www.linkedin.com/in/anishkumar/ This lightning talk dives into real-world GenAI projects that scaled from prototype to production using Databricks’ fully managed tools. Facing cost and time constraints, we leveraged four key Databricks features—Workflows, Model Serving, Serverless Compute, and Notebooks—to build an AI inference pipeline processing millions of documents (text and audiobooks). This approach enables rapid experimentation, easy tuning of GenAI prompts and compute settings, seamless data iteration and efficient quality testing—allowing Data Scientists and Engineers to collaborate effectively. Learn how to design modular, parameterized notebooks that run concurrently, manage dependencies and accelerate AI-driven insights. Whether you're optimizing AI inference, automating complex data workflows or architecting next-gen serverless AI systems, this session delivers actionable strategies to maximize performance while keeping costs low.

Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOMAnchore

Over 70% of any given software application consumes open source software (most likely not even from the original source) and only 15% of organizations feel confident in their risk management practices. With the newly announced Anchore SBOM feature, teams can start safely consuming OSS while mitigating security and compliance risks. Learn how to import SBOMs in industry-standard formats (SPDX, CycloneDX, Syft), validate their integrity, and proactively address vulnerabilities within your software ecosystem.

Oracle Cloud Infrastructure AI FoundationsVICTOR MAESTRE RAMIREZ

7 Salesforce Data Cloud Best Practices.pdfMinuscule Technologies

Data Virtualization: Bringing the Power of FME to Any ApplicationSafe Software

Imagine building web applications or dashboards on top of all your systems. With FME’s new Data Virtualization feature, you can deliver the full CRUD (create, read, update, and delete) capabilities on top of all your data that exploit the full power of FME’s all data, any AI capabilities. Data Virtualization enables you to build OpenAPI compliant API endpoints using FME Form’s no-code development platform. In this webinar, you’ll see how easy it is to turn complex data into real-time, usable REST API based services. We’ll walk through a real example of building a map-based app using FME’s Data Virtualization, and show you how to get started in your own environment – no dev team required. What you’ll take away: -How to build live applications and dashboards with federated data -Ways to control what’s exposed: filter, transform, and secure responses -How to scale access with caching, asynchronous web call support, with API endpoint level security. -Where this fits in your stack: from web apps, to AI, to automation Whether you’re building internal tools, public portals, or powering automation – this webinar is your starting point to real-time data delivery.

Mastering AI Workflows with FME - Peak of Data & AI 2025Safe Software

Harness the full potential of AI with FME: From creating high-quality training data to optimizing models and utilizing results, FME supports every step of your AI workflow. Seamlessly integrate a wide range of models, including those for data enhancement, forecasting, image and object recognition, and large language models. Customize AI models to meet your exact needs with FME’s powerful tools for training, optimization, and seamless integration

Trends Artificial Intelligence - Mary MeekerClive Dickens

Mary Meeker’s 2024 AI report highlights a seismic shift in productivity, creativity, and business value driven by generative AI. She charts the rapid adoption of tools like ChatGPT and Midjourney, likening today’s moment to the dawn of the internet. The report emphasizes AI’s impact on knowledge work, software development, and personalized services—while also cautioning about data quality, ethical use, and the human-AI partnership. In short, Meeker sees AI as a transformative force accelerating innovation and redefining how we live and work.

Introduction to Typescript - GDG On Campus EUEGoogle Developer Group On Campus European Universities in Egypt

Interested in leveling up your JavaScript skills? Join us for our Introduction to TypeScript workshop. Learn how TypeScript can improve your code with dynamic typing, better tooling, and cleaner architecture. Whether you're a beginner or have some experience with JavaScript, this session will give you a solid foundation in TypeScript and how to integrate it into your projects. Workshop content: - What is TypeScript? - What is the problem with JavaScript? - Why TypeScript is the solution - Coding demo

Bridging the divide: A conversation on tariffs today in the book industry - T...BookNet Canada

A collaboration-focused conversation on the recently imposed US and Canadian tariffs where speakers shared insights into the current legislative landscape, ongoing advocacy efforts, and recommended next steps. This event was presented in partnership with the Book Industry Study Group. Link to accompanying resource: https://bnctechforum.ca/sessions/bridging-the-divide-a-conversation-on-tariffs-today-in-the-book-industry/ Presented by BookNet Canada and the Book Industry Study Group on May 29, 2025 with support from the Department of Canadian Heritage.

End-to-end Assurance for SD-WAN & SASE with ThousandEyesThousandEyes

If You Use Databricks, You Definitely Need FMESafe Software

Your startup on AWS - How to architect and maintain a Lean and Mean account J...angelo60207

Prevent infrastructure costs from becoming a significant line item on your startup’s budget! Serial entrepreneur and software architect Angelo Mandato will share his experience with AWS Activate (startup credits from AWS) and knowledge on how to architect a lean and mean AWS account ideal for budget minded and bootstrapped startups. In this session you will learn how to manage a production ready AWS account capable of scaling as your startup grows for less than $100/month before credits. We will discuss AWS Budgets, Cost Explorer, architect priorities, and the importance of having flexible, optimized Infrastructure as Code. We will wrap everything up discussing opportunities where to save with AWS services such as S3, EC2, Load Balancers, Lambda Functions, RDS, and many others.

National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...Safe Software

The National Fuels Treatments Initiative (NFT) is transforming wildfire mitigation by creating a standardized map of nationwide fuels treatment locations across all land ownerships in the United States. While existing state and federal systems capture this data in diverse formats, NFT bridges these gaps, delivering the first truly integrated national view. This dataset will be used to measure the implementation of the National Cohesive Wildland Strategy and demonstrate the positive impact of collective investments in hazardous fuels reduction nationwide. In Phase 1, we developed an ETL pipeline template in FME Form, leveraging a schema-agnostic workflow with dynamic feature handling intended for fast roll-out and light maintenance. This was key as the initiative scaled from a few to over fifty contributors nationwide. By directly pulling from agency data stores, oftentimes ArcGIS Feature Services, NFT preserves existing structures, minimizing preparation needs. External mapping tables ensure consistent attribute and domain alignment, while robust change detection processes keep data current and actionable. Now in Phase 2, we’re migrating pipelines to FME Flow to take advantage of advanced scheduling, monitoring dashboards, and automated notifications to streamline operations. Join us to explore how this initiative exemplifies the power of technology, blending FME, ArcGIS Online, and AWS to solve a national business problem with a scalable, automated solution.

Down the Rabbit Hole – Solving 5 Training RoadblocksRustici Software

Feeling stuck in the Matrix of your training technologies? You’re not alone. Managing your training catalog, wrangling LMSs and delivering content across different tools and audiences can feel like dodging digital bullets. At some point, you hit a fork in the road: Keep patching things up as issues pop up… or follow the rabbit hole to the root of the problems. Good news, we’ve already been down that rabbit hole. Peter Overton and Cameron Gray of Rustici Software are here to share what we found. In this webinar, we’ll break down 5 training roadblocks in delivery and management and show you how they’re easier to fix than you might think.