Upgrade to Pro — share decks privately, control downloads, hide ads and more …

hey-devs-time-to-care-about-web-apps-security.pdf

Ignacio Anaya
November 20, 2018
0
99

 hey-devs-time-to-care-about-web-apps-security.pdf

Ignacio Anaya

November 20, 2018
Tweet

More Decks by Ignacio Anaya

See All by Ignacio Anaya
Security is not a feature‼️
ianaya89
2
470
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
130
Security is not a feature!
ianaya89
1
340
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
110
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
270
Vue.js, PWA & The Subway Dilemma
ianaya89
0
180
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
130
A Token Walks into SPA
ianaya89
0
560

Featured

See All Featured
Building Adaptive Systems
keathley
41
2.5k
Gamification - CAS2011
davidbonilla
81
5.2k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
12
1.4k
For a Future-Friendly Web
brad_frost
176
9.6k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7.1k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
28
1.6k
GitHub's CSS Performance
jonrohan
1030
460k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Designing Experiences People Love
moore
141
23k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.4k
Adopting Sorbet at Scale
ufuk
75
9.3k
The Cult of Friendly URLs
andyhume
78
6.3k

Transcript

  1. Hey Devs, Time to take care about web security! !

    ⏱ Time to take care about web security! - @ianaya89 1

  2. ! Nacho Anaya ! @ianaya89 • JavaScript Engineer @BloqInc •

    Ambassador @Auth0 • Organizer @Vuenos_Aires Time to take care about web security! - @ianaya89 2

  3. !" Time to take care about web security! - @ianaya89

    3

  4. "There are two types of companies: those that have been

    hacked, and those who don't know they have been hacked." John T. Chambers Time to take care about web security! - @ianaya89 4

  5. ! Understand the Problem Time to take care about web

    security! - @ianaya89 5

  6. ! 2017 4.2 billon leaks Time to take care about

    web security! - @ianaya89 6

  7. Time to take care about web security! - @ianaya89 7

  8. ! Loose Money Time to take care about web security!

    - @ianaya89 8

  9. ! Loose Trust Time to take care about web security!

    - @ianaya89 9

  10. ! ⏱ Invest! Time to take care about web security!

    - @ianaya89 10

  11. "If you spend more on coffee than on IT security,

    you will be hacked. Whats more, you deserve to be hacked" Richard A. Clarke Time to take care about web security! - @ianaya89 11

  12. ! Vulnerabili+es Everywhere! Time to take care about web security!

    - @ianaya89 12

  13. Time to take care about web security! - @ianaya89 13

  14. Time to take care about web security! - @ianaya89 14

  15. ! TCP is Complicated Time to take care about web

    security! - @ianaya89 15

  16. HTTP/S - WebSockets - DNS - TCP - FTP -

    IPv4 - IPv6 - SSH- ASCII - IRC Time to take care about web security! - @ianaya89 16

  17. ! Browsers Too Time to take care about web security!

    - @ianaya89 17

  18. HTML - CSS - JS Time to take care about

    web security! - @ianaya89 18

  19. DOM - Geoloca,on - Mul,media - Fetch - Web Sockets

    Time to take care about web security! - @ianaya89 19

  20. ! Understand the Solu/on Time to take care about web

    security! - @ianaya89 20

  21. ! There is no perfect security... Time to take care

    about web security! - @ianaya89 21

  22. ! Security is not a nice to have Time to

    take care about web security! - @ianaya89 22

  23. ! Security is by default Time to take care about

    web security! - @ianaya89 23

  24. ! Always, but always assume the worst Time to take

    care about web security! - @ianaya89 24

  25. ! Hackers gonna hack Time to take care about web

    security! - @ianaya89 25

  26. ! Know your app Time to take care about web

    security! - @ianaya89 26

  27. ! Input Vectors Time to take care about web security!

    - @ianaya89 27

  28. Query String - URL Path - Request Body - Cookies

    - Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Time to take care about web security! - @ianaya89 28

  29. ⚠ Don't trust the users Time to take care about

    web security! - @ianaya89 29

  30. ! Must Do Time to take care about web security!

    - @ianaya89 30

  31. ! HTTPS ! It's 2018 Time to take care about

    web security! - @ianaya89 31

  32. Time to take care about web security! - @ianaya89 32

  33. ! HSTS strict-transport-security-policy Time to take care about web security!

    - @ianaya89 33

  34. ! Injec'on Time to take care about web security! -

    @ianaya89 34

  35. ! ✅ Injec'on • Validate input in the SERVER •

    Sani1ze Everything Time to take care about web security! - @ianaya89 35

  36. ! XSS Time to take care about web security! -

    @ianaya89 36

  37. Time to take care about web security! - @ianaya89 37

  38. ! ✅ XSS • Validate & sani-ze all inputs •

    Encode output (HTML) • Use proper headers Time to take care about web security! - @ianaya89 38

  39. ! " XSS Headers • String-Transport-Security • X-Frame-Op6ons • X-XSS-Protec6on

    • X-Content-Type-Op6ons • Content-Security-Policy Time to take care about web security! - @ianaya89 39

  40. ⚔ CSRF Time to take care about web security! -

    @ianaya89 40

  41. ⚔ ✅ CSRF • Random token in request • same-site

    cookie flag Time to take care about web security! - @ianaya89 41

  42. ! Session Management Time to take care about web security!

    - @ianaya89 42

  43. ! ✅ Session Management • Don't expose token (URL, Browser

    Storage) • Tokens must expire • OAUTH - OpenID - Auth0 Time to take care about web security! - @ianaya89 43

  44. ! Password Management Time to take care about web security!

    - @ianaya89 44

  45. ! ✅ Password Management • bcrypt for hashing (with salt)

    • Strong passwords • MFA Time to take care about web security! - @ianaya89 45

  46. ! Cookie Management Time to take care about web security!

    - @ianaya89 46

  47. ! " Cookie Flags • httpOnly • secure Time to

    take care about web security! - @ianaya89 47

  48. ! ↩ Cookie Scoping • domain • path • expires

    Time to take care about web security! - @ianaya89 48

  49. ! use strict Time to take care about web security!

    - @ianaya89 49

  50. ! Logging & Errors Time to take care about web

    security! - @ianaya89 50

  51. ! Sensi've Data Exposure Time to take care about web

    security! - @ianaya89 51

  52. Time to take care about web security! - @ianaya89 52

  53. ! ✅ Sensi've Data Exposure Just don't! Time to take

    care about web security! - @ianaya89 53

  54. ! OSS Time to take care about web security! -

    @ianaya89 54

  55. ! OWASP Top 10 owasp.org Time to take care about

    web security! - @ianaya89 55

  56. Time to take care about web security! - @ianaya89 56

  57. ! Tools • Re$reJS • npm nsp • docker Time

    to take care about web security! - @ianaya89 57

  58. ! Resources • owasp.org • WebGoat • Web Security Basics

    • MIT Computer Systems Security Time to take care about web security! - @ianaya89 58

  59. ! Time to take care about web security! - @ianaya89

    59

  60. ! Take Away Time to take care about web security!

    - @ianaya89 60

  61. ✌ Promote a security culture! Time to take care about

    web security! - @ianaya89 61

  62. ⏱ Security is important, 1me to take care! Time to

    take care about web security! - @ianaya89 62

  63. ! Thanks! ! Ques&ons? ! @ianaya89 Time to take care

    about web security! - @ianaya89 63