Upgrade to Pro — share decks privately, control downloads, hide ads and more …

hey-devs-time-to-care-about-web-apps-security.pdf

Ignacio Anaya
November 20, 2018
0
89

 hey-devs-time-to-care-about-web-apps-security.pdf

Ignacio Anaya

November 20, 2018
Tweet

More Decks by Ignacio Anaya

See All by Ignacio Anaya
Security is not a feature‼️
ianaya89
2
430
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
120
Security is not a feature!
ianaya89
1
320
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
99
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
250
Vue.js, PWA & The Subway Dilemma
ianaya89
0
160
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
110
A Token Walks into SPA
ianaya89
0
530

Featured

See All Featured
Visualization
eitanlees
145
15k
Side Projects
sachag
452
42k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
GitHub's CSS Performance
jonrohan
1030
460k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.8k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Become a Pro
speakerdeck
PRO
25
5k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
How to Ace a Technical Interview
jacobian
276
23k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Raft: Consensus for Rubyists
vanstee
136
6.6k

Transcript

  1. Hey Devs, Time to take care about web security! !

    ⏱ Time to take care about web security! - @ianaya89 1

  2. ! Nacho Anaya ! @ianaya89 • JavaScript Engineer @BloqInc •

    Ambassador @Auth0 • Organizer @Vuenos_Aires Time to take care about web security! - @ianaya89 2

  3. !" Time to take care about web security! - @ianaya89

    3

  4. "There are two types of companies: those that have been

    hacked, and those who don't know they have been hacked." John T. Chambers Time to take care about web security! - @ianaya89 4

  5. ! Understand the Problem Time to take care about web

    security! - @ianaya89 5

  6. ! 2017 4.2 billon leaks Time to take care about

    web security! - @ianaya89 6

  7. Time to take care about web security! - @ianaya89 7

  8. ! Loose Money Time to take care about web security!

    - @ianaya89 8

  9. ! Loose Trust Time to take care about web security!

    - @ianaya89 9

  10. ! ⏱ Invest! Time to take care about web security!

    - @ianaya89 10

  11. "If you spend more on coffee than on IT security,

    you will be hacked. Whats more, you deserve to be hacked" Richard A. Clarke Time to take care about web security! - @ianaya89 11

  12. ! Vulnerabili+es Everywhere! Time to take care about web security!

    - @ianaya89 12

  13. Time to take care about web security! - @ianaya89 13

  14. Time to take care about web security! - @ianaya89 14

  15. ! TCP is Complicated Time to take care about web

    security! - @ianaya89 15

  16. HTTP/S - WebSockets - DNS - TCP - FTP -

    IPv4 - IPv6 - SSH- ASCII - IRC Time to take care about web security! - @ianaya89 16

  17. ! Browsers Too Time to take care about web security!

    - @ianaya89 17

  18. HTML - CSS - JS Time to take care about

    web security! - @ianaya89 18

  19. DOM - Geoloca,on - Mul,media - Fetch - Web Sockets

    Time to take care about web security! - @ianaya89 19

  20. ! Understand the Solu/on Time to take care about web

    security! - @ianaya89 20

  21. ! There is no perfect security... Time to take care

    about web security! - @ianaya89 21

  22. ! Security is not a nice to have Time to

    take care about web security! - @ianaya89 22

  23. ! Security is by default Time to take care about

    web security! - @ianaya89 23

  24. ! Always, but always assume the worst Time to take

    care about web security! - @ianaya89 24

  25. ! Hackers gonna hack Time to take care about web

    security! - @ianaya89 25

  26. ! Know your app Time to take care about web

    security! - @ianaya89 26

  27. ! Input Vectors Time to take care about web security!

    - @ianaya89 27

  28. Query String - URL Path - Request Body - Cookies

    - Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Time to take care about web security! - @ianaya89 28

  29. ⚠ Don't trust the users Time to take care about

    web security! - @ianaya89 29

  30. ! Must Do Time to take care about web security!

    - @ianaya89 30

  31. ! HTTPS ! It's 2018 Time to take care about

    web security! - @ianaya89 31

  32. Time to take care about web security! - @ianaya89 32

  33. ! HSTS strict-transport-security-policy Time to take care about web security!

    - @ianaya89 33

  34. ! Injec'on Time to take care about web security! -

    @ianaya89 34

  35. ! ✅ Injec'on • Validate input in the SERVER •

    Sani1ze Everything Time to take care about web security! - @ianaya89 35

  36. ! XSS Time to take care about web security! -

    @ianaya89 36

  37. Time to take care about web security! - @ianaya89 37

  38. ! ✅ XSS • Validate & sani-ze all inputs •

    Encode output (HTML) • Use proper headers Time to take care about web security! - @ianaya89 38

  39. ! " XSS Headers • String-Transport-Security • X-Frame-Op6ons • X-XSS-Protec6on

    • X-Content-Type-Op6ons • Content-Security-Policy Time to take care about web security! - @ianaya89 39

  40. ⚔ CSRF Time to take care about web security! -

    @ianaya89 40

  41. ⚔ ✅ CSRF • Random token in request • same-site

    cookie flag Time to take care about web security! - @ianaya89 41

  42. ! Session Management Time to take care about web security!

    - @ianaya89 42

  43. ! ✅ Session Management • Don't expose token (URL, Browser

    Storage) • Tokens must expire • OAUTH - OpenID - Auth0 Time to take care about web security! - @ianaya89 43

  44. ! Password Management Time to take care about web security!

    - @ianaya89 44

  45. ! ✅ Password Management • bcrypt for hashing (with salt)

    • Strong passwords • MFA Time to take care about web security! - @ianaya89 45

  46. ! Cookie Management Time to take care about web security!

    - @ianaya89 46

  47. ! " Cookie Flags • httpOnly • secure Time to

    take care about web security! - @ianaya89 47

  48. ! ↩ Cookie Scoping • domain • path • expires

    Time to take care about web security! - @ianaya89 48

  49. ! use strict Time to take care about web security!

    - @ianaya89 49

  50. ! Logging & Errors Time to take care about web

    security! - @ianaya89 50

  51. ! Sensi've Data Exposure Time to take care about web

    security! - @ianaya89 51

  52. Time to take care about web security! - @ianaya89 52

  53. ! ✅ Sensi've Data Exposure Just don't! Time to take

    care about web security! - @ianaya89 53

  54. ! OSS Time to take care about web security! -

    @ianaya89 54

  55. ! OWASP Top 10 owasp.org Time to take care about

    web security! - @ianaya89 55

  56. Time to take care about web security! - @ianaya89 56

  57. ! Tools • Re$reJS • npm nsp • docker Time

    to take care about web security! - @ianaya89 57

  58. ! Resources • owasp.org • WebGoat • Web Security Basics

    • MIT Computer Systems Security Time to take care about web security! - @ianaya89 58

  59. ! Time to take care about web security! - @ianaya89

    59

  60. ! Take Away Time to take care about web security!

    - @ianaya89 60

  61. ✌ Promote a security culture! Time to take care about

    web security! - @ianaya89 61

  62. ⏱ Security is important, 1me to take care! Time to

    take care about web security! - @ianaya89 62

  63. ! Thanks! ! Ques&ons? ! @ianaya89 Time to take care

    about web security! - @ianaya89 63