Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
hey-devs-time-to-care-about-web-apps-security.pdf
Search
Ignacio Anaya
November 20, 2018
0
89
hey-devs-time-to-care-about-web-apps-security.pdf
Ignacio Anaya
November 20, 2018
Tweet
Share
More Decks by Ignacio Anaya
See All by Ignacio Anaya
Security is not a feature‼️
ianaya89
2
430
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
120
Security is not a feature!
ianaya89
1
320
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
99
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
250
Vue.js, PWA & The Subway Dilemma
ianaya89
0
160
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
110
A Token Walks into SPA
ianaya89
0
530
Featured
See All Featured
Visualization
eitanlees
145
15k
Side Projects
sachag
452
42k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
GitHub's CSS Performance
jonrohan
1030
460k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.8k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Become a Pro
speakerdeck
PRO
25
5k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
How to Ace a Technical Interview
jacobian
276
23k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Transcript
Hey Devs, Time to take care about web security! !
⏱ Time to take care about web security! - @ianaya89 1
! Nacho Anaya ! @ianaya89 • JavaScript Engineer @BloqInc •
Ambassador @Auth0 • Organizer @Vuenos_Aires Time to take care about web security! - @ianaya89 2
!" Time to take care about web security! - @ianaya89
3
"There are two types of companies: those that have been
hacked, and those who don't know they have been hacked." John T. Chambers Time to take care about web security! - @ianaya89 4
! Understand the Problem Time to take care about web
security! - @ianaya89 5
! 2017 4.2 billon leaks Time to take care about
web security! - @ianaya89 6
Time to take care about web security! - @ianaya89 7
! Loose Money Time to take care about web security!
- @ianaya89 8
! Loose Trust Time to take care about web security!
- @ianaya89 9
! ⏱ Invest! Time to take care about web security!
- @ianaya89 10
"If you spend more on coffee than on IT security,
you will be hacked. Whats more, you deserve to be hacked" Richard A. Clarke Time to take care about web security! - @ianaya89 11
! Vulnerabili+es Everywhere! Time to take care about web security!
- @ianaya89 12
Time to take care about web security! - @ianaya89 13
Time to take care about web security! - @ianaya89 14
! TCP is Complicated Time to take care about web
security! - @ianaya89 15
HTTP/S - WebSockets - DNS - TCP - FTP -
IPv4 - IPv6 - SSH- ASCII - IRC Time to take care about web security! - @ianaya89 16
! Browsers Too Time to take care about web security!
- @ianaya89 17
HTML - CSS - JS Time to take care about
web security! - @ianaya89 18
DOM - Geoloca,on - Mul,media - Fetch - Web Sockets
Time to take care about web security! - @ianaya89 19
! Understand the Solu/on Time to take care about web
security! - @ianaya89 20
! There is no perfect security... Time to take care
about web security! - @ianaya89 21
! Security is not a nice to have Time to
take care about web security! - @ianaya89 22
! Security is by default Time to take care about
web security! - @ianaya89 23
! Always, but always assume the worst Time to take
care about web security! - @ianaya89 24
! Hackers gonna hack Time to take care about web
security! - @ianaya89 25
! Know your app Time to take care about web
security! - @ianaya89 26
! Input Vectors Time to take care about web security!
- @ianaya89 27
Query String - URL Path - Request Body - Cookies
- Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Time to take care about web security! - @ianaya89 28
⚠ Don't trust the users Time to take care about
web security! - @ianaya89 29
! Must Do Time to take care about web security!
- @ianaya89 30
! HTTPS ! It's 2018 Time to take care about
web security! - @ianaya89 31
Time to take care about web security! - @ianaya89 32
! HSTS strict-transport-security-policy Time to take care about web security!
- @ianaya89 33
! Injec'on Time to take care about web security! -
@ianaya89 34
! ✅ Injec'on • Validate input in the SERVER •
Sani1ze Everything Time to take care about web security! - @ianaya89 35
! XSS Time to take care about web security! -
@ianaya89 36
Time to take care about web security! - @ianaya89 37
! ✅ XSS • Validate & sani-ze all inputs •
Encode output (HTML) • Use proper headers Time to take care about web security! - @ianaya89 38
! " XSS Headers • String-Transport-Security • X-Frame-Op6ons • X-XSS-Protec6on
• X-Content-Type-Op6ons • Content-Security-Policy Time to take care about web security! - @ianaya89 39
⚔ CSRF Time to take care about web security! -
@ianaya89 40
⚔ ✅ CSRF • Random token in request • same-site
cookie flag Time to take care about web security! - @ianaya89 41
! Session Management Time to take care about web security!
- @ianaya89 42
! ✅ Session Management • Don't expose token (URL, Browser
Storage) • Tokens must expire • OAUTH - OpenID - Auth0 Time to take care about web security! - @ianaya89 43
! Password Management Time to take care about web security!
- @ianaya89 44
! ✅ Password Management • bcrypt for hashing (with salt)
• Strong passwords • MFA Time to take care about web security! - @ianaya89 45
! Cookie Management Time to take care about web security!
- @ianaya89 46
! " Cookie Flags • httpOnly • secure Time to
take care about web security! - @ianaya89 47
! ↩ Cookie Scoping • domain • path • expires
Time to take care about web security! - @ianaya89 48
! use strict Time to take care about web security!
- @ianaya89 49
! Logging & Errors Time to take care about web
security! - @ianaya89 50
! Sensi've Data Exposure Time to take care about web
security! - @ianaya89 51
Time to take care about web security! - @ianaya89 52
! ✅ Sensi've Data Exposure Just don't! Time to take
care about web security! - @ianaya89 53
! OSS Time to take care about web security! -
@ianaya89 54
! OWASP Top 10 owasp.org Time to take care about
web security! - @ianaya89 55
Time to take care about web security! - @ianaya89 56
! Tools • Re$reJS • npm nsp • docker Time
to take care about web security! - @ianaya89 57
! Resources • owasp.org • WebGoat • Web Security Basics
• MIT Computer Systems Security Time to take care about web security! - @ianaya89 58
! Time to take care about web security! - @ianaya89
59
! Take Away Time to take care about web security!
- @ianaya89 60
✌ Promote a security culture! Time to take care about
web security! - @ianaya89 61
⏱ Security is important, 1me to take care! Time to
take care about web security! - @ianaya89 62
! Thanks! ! Ques&ons? ! @ianaya89 Time to take care
about web security! - @ianaya89 63