Upgrade to Pro — share decks privately, control downloads, hide ads and more …

hey-devs-time-to-care-about-web-apps-security.pdf

Ignacio Anaya
November 20, 2018
0
90

 hey-devs-time-to-care-about-web-apps-security.pdf

Ignacio Anaya

November 20, 2018
Tweet

More Decks by Ignacio Anaya

See All by Ignacio Anaya
Security is not a feature‼️
ianaya89
2
440
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
120
Security is not a feature!
ianaya89
1
320
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
100
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
250
Vue.js, PWA & The Subway Dilemma
ianaya89
0
160
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
110
A Token Walks into SPA
ianaya89
0
530

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Producing Creativity
orderedlist
PRO
341
39k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k
How GitHub (no longer) Works
holman
310
140k
The Pragmatic Product Professional
lauravandoore
31
6.3k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Writing Fast Ruby
sferik
627
61k
KATA
mclloyd
29
14k
4 Signs Your Business is Dying
shpigford
180
21k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Thoughts on Productivity
jonyablonski
67
4.3k

Transcript

  1. Hey Devs, Time to take care about web security! !

    ⏱ Time to take care about web security! - @ianaya89 1

  2. ! Nacho Anaya ! @ianaya89 • JavaScript Engineer @BloqInc •

    Ambassador @Auth0 • Organizer @Vuenos_Aires Time to take care about web security! - @ianaya89 2

  3. !" Time to take care about web security! - @ianaya89

    3

  4. "There are two types of companies: those that have been

    hacked, and those who don't know they have been hacked." John T. Chambers Time to take care about web security! - @ianaya89 4

  5. ! Understand the Problem Time to take care about web

    security! - @ianaya89 5

  6. ! 2017 4.2 billon leaks Time to take care about

    web security! - @ianaya89 6

  7. Time to take care about web security! - @ianaya89 7

  8. ! Loose Money Time to take care about web security!

    - @ianaya89 8

  9. ! Loose Trust Time to take care about web security!

    - @ianaya89 9

  10. ! ⏱ Invest! Time to take care about web security!

    - @ianaya89 10

  11. "If you spend more on coffee than on IT security,

    you will be hacked. Whats more, you deserve to be hacked" Richard A. Clarke Time to take care about web security! - @ianaya89 11

  12. ! Vulnerabili+es Everywhere! Time to take care about web security!

    - @ianaya89 12

  13. Time to take care about web security! - @ianaya89 13

  14. Time to take care about web security! - @ianaya89 14

  15. ! TCP is Complicated Time to take care about web

    security! - @ianaya89 15

  16. HTTP/S - WebSockets - DNS - TCP - FTP -

    IPv4 - IPv6 - SSH- ASCII - IRC Time to take care about web security! - @ianaya89 16

  17. ! Browsers Too Time to take care about web security!

    - @ianaya89 17

  18. HTML - CSS - JS Time to take care about

    web security! - @ianaya89 18

  19. DOM - Geoloca,on - Mul,media - Fetch - Web Sockets

    Time to take care about web security! - @ianaya89 19

  20. ! Understand the Solu/on Time to take care about web

    security! - @ianaya89 20

  21. ! There is no perfect security... Time to take care

    about web security! - @ianaya89 21

  22. ! Security is not a nice to have Time to

    take care about web security! - @ianaya89 22

  23. ! Security is by default Time to take care about

    web security! - @ianaya89 23

  24. ! Always, but always assume the worst Time to take

    care about web security! - @ianaya89 24

  25. ! Hackers gonna hack Time to take care about web

    security! - @ianaya89 25

  26. ! Know your app Time to take care about web

    security! - @ianaya89 26

  27. ! Input Vectors Time to take care about web security!

    - @ianaya89 27

  28. Query String - URL Path - Request Body - Cookies

    - Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Time to take care about web security! - @ianaya89 28

  29. ⚠ Don't trust the users Time to take care about

    web security! - @ianaya89 29

  30. ! Must Do Time to take care about web security!

    - @ianaya89 30

  31. ! HTTPS ! It's 2018 Time to take care about

    web security! - @ianaya89 31

  32. Time to take care about web security! - @ianaya89 32

  33. ! HSTS strict-transport-security-policy Time to take care about web security!

    - @ianaya89 33

  34. ! Injec'on Time to take care about web security! -

    @ianaya89 34

  35. ! ✅ Injec'on • Validate input in the SERVER •

    Sani1ze Everything Time to take care about web security! - @ianaya89 35

  36. ! XSS Time to take care about web security! -

    @ianaya89 36

  37. Time to take care about web security! - @ianaya89 37

  38. ! ✅ XSS • Validate & sani-ze all inputs •

    Encode output (HTML) • Use proper headers Time to take care about web security! - @ianaya89 38

  39. ! " XSS Headers • String-Transport-Security • X-Frame-Op6ons • X-XSS-Protec6on

    • X-Content-Type-Op6ons • Content-Security-Policy Time to take care about web security! - @ianaya89 39

  40. ⚔ CSRF Time to take care about web security! -

    @ianaya89 40

  41. ⚔ ✅ CSRF • Random token in request • same-site

    cookie flag Time to take care about web security! - @ianaya89 41

  42. ! Session Management Time to take care about web security!

    - @ianaya89 42

  43. ! ✅ Session Management • Don't expose token (URL, Browser

    Storage) • Tokens must expire • OAUTH - OpenID - Auth0 Time to take care about web security! - @ianaya89 43

  44. ! Password Management Time to take care about web security!

    - @ianaya89 44

  45. ! ✅ Password Management • bcrypt for hashing (with salt)

    • Strong passwords • MFA Time to take care about web security! - @ianaya89 45

  46. ! Cookie Management Time to take care about web security!

    - @ianaya89 46

  47. ! " Cookie Flags • httpOnly • secure Time to

    take care about web security! - @ianaya89 47

  48. ! ↩ Cookie Scoping • domain • path • expires

    Time to take care about web security! - @ianaya89 48

  49. ! use strict Time to take care about web security!

    - @ianaya89 49

  50. ! Logging & Errors Time to take care about web

    security! - @ianaya89 50

  51. ! Sensi've Data Exposure Time to take care about web

    security! - @ianaya89 51

  52. Time to take care about web security! - @ianaya89 52

  53. ! ✅ Sensi've Data Exposure Just don't! Time to take

    care about web security! - @ianaya89 53

  54. ! OSS Time to take care about web security! -

    @ianaya89 54

  55. ! OWASP Top 10 owasp.org Time to take care about

    web security! - @ianaya89 55

  56. Time to take care about web security! - @ianaya89 56

  57. ! Tools • Re$reJS • npm nsp • docker Time

    to take care about web security! - @ianaya89 57

  58. ! Resources • owasp.org • WebGoat • Web Security Basics

    • MIT Computer Systems Security Time to take care about web security! - @ianaya89 58

  59. ! Time to take care about web security! - @ianaya89

    59

  60. ! Take Away Time to take care about web security!

    - @ianaya89 60

  61. ✌ Promote a security culture! Time to take care about

    web security! - @ianaya89 61

  62. ⏱ Security is important, 1me to take care! Time to

    take care about web security! - @ianaya89 62

  63. ! Thanks! ! Ques&ons? ! @ianaya89 Time to take care

    about web security! - @ianaya89 63