Upgrade to Pro — share decks privately, control downloads, hide ads and more …

hey-devs-time-to-care-about-web-apps-security.pdf

Ignacio Anaya
November 20, 2018
89

 hey-devs-time-to-care-about-web-apps-security.pdf

Ignacio Anaya

November 20, 2018
Tweet

Transcript

  1. Hey Devs, Time to take care about web security! !

    ⏱ Time to take care about web security! - @ianaya89 1
  2. ! Nacho Anaya ! @ianaya89 • JavaScript Engineer @BloqInc •

    Ambassador @Auth0 • Organizer @Vuenos_Aires Time to take care about web security! - @ianaya89 2
  3. "There are two types of companies: those that have been

    hacked, and those who don't know they have been hacked." John T. Chambers Time to take care about web security! - @ianaya89 4
  4. "If you spend more on coffee than on IT security,

    you will be hacked. Whats more, you deserve to be hacked" Richard A. Clarke Time to take care about web security! - @ianaya89 11
  5. HTTP/S - WebSockets - DNS - TCP - FTP -

    IPv4 - IPv6 - SSH- ASCII - IRC Time to take care about web security! - @ianaya89 16
  6. HTML - CSS - JS Time to take care about

    web security! - @ianaya89 18
  7. DOM - Geoloca,on - Mul,media - Fetch - Web Sockets

    Time to take care about web security! - @ianaya89 19
  8. ! There is no perfect security... Time to take care

    about web security! - @ianaya89 21
  9. ! Security is not a nice to have Time to

    take care about web security! - @ianaya89 22
  10. ! Always, but always assume the worst Time to take

    care about web security! - @ianaya89 24
  11. Query String - URL Path - Request Body - Cookies

    - Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Time to take care about web security! - @ianaya89 28
  12. ! HTTPS ! It's 2018 Time to take care about

    web security! - @ianaya89 31
  13. ! ✅ Injec'on • Validate input in the SERVER •

    Sani1ze Everything Time to take care about web security! - @ianaya89 35
  14. ! ✅ XSS • Validate & sani-ze all inputs •

    Encode output (HTML) • Use proper headers Time to take care about web security! - @ianaya89 38
  15. ! " XSS Headers • String-Transport-Security • X-Frame-Op6ons • X-XSS-Protec6on

    • X-Content-Type-Op6ons • Content-Security-Policy Time to take care about web security! - @ianaya89 39
  16. ⚔ ✅ CSRF • Random token in request • same-site

    cookie flag Time to take care about web security! - @ianaya89 41
  17. ! ✅ Session Management • Don't expose token (URL, Browser

    Storage) • Tokens must expire • OAUTH - OpenID - Auth0 Time to take care about web security! - @ianaya89 43
  18. ! ✅ Password Management • bcrypt for hashing (with salt)

    • Strong passwords • MFA Time to take care about web security! - @ianaya89 45
  19. ! " Cookie Flags • httpOnly • secure Time to

    take care about web security! - @ianaya89 47
  20. ! ↩ Cookie Scoping • domain • path • expires

    Time to take care about web security! - @ianaya89 48
  21. ! ✅ Sensi've Data Exposure Just don't! Time to take

    care about web security! - @ianaya89 53
  22. ! Tools • Re$reJS • npm nsp • docker Time

    to take care about web security! - @ianaya89 57
  23. ! Resources • owasp.org • WebGoat • Web Security Basics

    • MIT Computer Systems Security Time to take care about web security! - @ianaya89 58
  24. ⏱ Security is important, 1me to take care! Time to

    take care about web security! - @ianaya89 62
  25. ! Thanks! ! Ques&ons? ! @ianaya89 Time to take care

    about web security! - @ianaya89 63