Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
hey-devs-time-to-care-about-web-apps-security.pdf
Search
Ignacio Anaya
November 20, 2018
0
93
hey-devs-time-to-care-about-web-apps-security.pdf
Ignacio Anaya
November 20, 2018
Tweet
Share
More Decks by Ignacio Anaya
See All by Ignacio Anaya
Security is not a feature‼️
ianaya89
2
450
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
120
Security is not a feature!
ianaya89
1
330
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
100
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
260
Vue.js, PWA & The Subway Dilemma
ianaya89
0
170
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
110
A Token Walks into SPA
ianaya89
0
540
Featured
See All Featured
KATA
mclloyd
29
14k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Practical Orchestrator
shlominoach
186
10k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
44
9.3k
How to Ace a Technical Interview
jacobian
276
23k
Reflections from 52 weeks, 52 projects
jeffersonlam
347
20k
Speed Design
sergeychernyshev
25
670
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
95
17k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
Transcript
Hey Devs, Time to take care about web security! !
⏱ Time to take care about web security! - @ianaya89 1
! Nacho Anaya ! @ianaya89 • JavaScript Engineer @BloqInc •
Ambassador @Auth0 • Organizer @Vuenos_Aires Time to take care about web security! - @ianaya89 2
!" Time to take care about web security! - @ianaya89
3
"There are two types of companies: those that have been
hacked, and those who don't know they have been hacked." John T. Chambers Time to take care about web security! - @ianaya89 4
! Understand the Problem Time to take care about web
security! - @ianaya89 5
! 2017 4.2 billon leaks Time to take care about
web security! - @ianaya89 6
Time to take care about web security! - @ianaya89 7
! Loose Money Time to take care about web security!
- @ianaya89 8
! Loose Trust Time to take care about web security!
- @ianaya89 9
! ⏱ Invest! Time to take care about web security!
- @ianaya89 10
"If you spend more on coffee than on IT security,
you will be hacked. Whats more, you deserve to be hacked" Richard A. Clarke Time to take care about web security! - @ianaya89 11
! Vulnerabili+es Everywhere! Time to take care about web security!
- @ianaya89 12
Time to take care about web security! - @ianaya89 13
Time to take care about web security! - @ianaya89 14
! TCP is Complicated Time to take care about web
security! - @ianaya89 15
HTTP/S - WebSockets - DNS - TCP - FTP -
IPv4 - IPv6 - SSH- ASCII - IRC Time to take care about web security! - @ianaya89 16
! Browsers Too Time to take care about web security!
- @ianaya89 17
HTML - CSS - JS Time to take care about
web security! - @ianaya89 18
DOM - Geoloca,on - Mul,media - Fetch - Web Sockets
Time to take care about web security! - @ianaya89 19
! Understand the Solu/on Time to take care about web
security! - @ianaya89 20
! There is no perfect security... Time to take care
about web security! - @ianaya89 21
! Security is not a nice to have Time to
take care about web security! - @ianaya89 22
! Security is by default Time to take care about
web security! - @ianaya89 23
! Always, but always assume the worst Time to take
care about web security! - @ianaya89 24
! Hackers gonna hack Time to take care about web
security! - @ianaya89 25
! Know your app Time to take care about web
security! - @ianaya89 26
! Input Vectors Time to take care about web security!
- @ianaya89 27
Query String - URL Path - Request Body - Cookies
- Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Time to take care about web security! - @ianaya89 28
⚠ Don't trust the users Time to take care about
web security! - @ianaya89 29
! Must Do Time to take care about web security!
- @ianaya89 30
! HTTPS ! It's 2018 Time to take care about
web security! - @ianaya89 31
Time to take care about web security! - @ianaya89 32
! HSTS strict-transport-security-policy Time to take care about web security!
- @ianaya89 33
! Injec'on Time to take care about web security! -
@ianaya89 34
! ✅ Injec'on • Validate input in the SERVER •
Sani1ze Everything Time to take care about web security! - @ianaya89 35
! XSS Time to take care about web security! -
@ianaya89 36
Time to take care about web security! - @ianaya89 37
! ✅ XSS • Validate & sani-ze all inputs •
Encode output (HTML) • Use proper headers Time to take care about web security! - @ianaya89 38
! " XSS Headers • String-Transport-Security • X-Frame-Op6ons • X-XSS-Protec6on
• X-Content-Type-Op6ons • Content-Security-Policy Time to take care about web security! - @ianaya89 39
⚔ CSRF Time to take care about web security! -
@ianaya89 40
⚔ ✅ CSRF • Random token in request • same-site
cookie flag Time to take care about web security! - @ianaya89 41
! Session Management Time to take care about web security!
- @ianaya89 42
! ✅ Session Management • Don't expose token (URL, Browser
Storage) • Tokens must expire • OAUTH - OpenID - Auth0 Time to take care about web security! - @ianaya89 43
! Password Management Time to take care about web security!
- @ianaya89 44
! ✅ Password Management • bcrypt for hashing (with salt)
• Strong passwords • MFA Time to take care about web security! - @ianaya89 45
! Cookie Management Time to take care about web security!
- @ianaya89 46
! " Cookie Flags • httpOnly • secure Time to
take care about web security! - @ianaya89 47
! ↩ Cookie Scoping • domain • path • expires
Time to take care about web security! - @ianaya89 48
! use strict Time to take care about web security!
- @ianaya89 49
! Logging & Errors Time to take care about web
security! - @ianaya89 50
! Sensi've Data Exposure Time to take care about web
security! - @ianaya89 51
Time to take care about web security! - @ianaya89 52
! ✅ Sensi've Data Exposure Just don't! Time to take
care about web security! - @ianaya89 53
! OSS Time to take care about web security! -
@ianaya89 54
! OWASP Top 10 owasp.org Time to take care about
web security! - @ianaya89 55
Time to take care about web security! - @ianaya89 56
! Tools • Re$reJS • npm nsp • docker Time
to take care about web security! - @ianaya89 57
! Resources • owasp.org • WebGoat • Web Security Basics
• MIT Computer Systems Security Time to take care about web security! - @ianaya89 58
! Time to take care about web security! - @ianaya89
59
! Take Away Time to take care about web security!
- @ianaya89 60
✌ Promote a security culture! Time to take care about
web security! - @ianaya89 61
⏱ Security is important, 1me to take care! Time to
take care about web security! - @ianaya89 62
! Thanks! ! Ques&ons? ! @ianaya89 Time to take care
about web security! - @ianaya89 63