Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security is not a feature!

Security is not a feature!

Ignacio Anaya

June 13, 2020
Tweet

More Decks by Ignacio Anaya

Other Decks in Technology

Transcript

  1. ! Nacho Anaya ! @ianaya89 • ! Principal Engineer https://

    twitter.com/@BalloonPlatform • " Ambassador @Auth0 & @GitKraken • # Tech Speaker @MozTechSpeakers • $ Organizador @Vuenos_Aires Security is not a feature! - @ianaya89 2
  2. "Hay dos tipos de empresas: aquellas que han sido hackeadas

    y aquellas que todavía no saben que han sido hackeadas" John T. Chambers Security is not a feature! - @ianaya89 4
  3. ! Cultura • ! Capacitación • " Politicas • ⏱

    Tiempo • $ Dinero Security is not a feature! - @ianaya89 12
  4. "Si gastas mas dinero en cafe que en Seguridad IT,

    vas a ser hackeado. En realidad, te mereces ser hackeado" Richard A. Clarke Security is not a feature! - @ianaya89 13
  5. HTTP/S - WebSockets - DNS - TCP - FTP -

    IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature! - @ianaya89 20
  6. DOM - Geolocation - Multimedia - Fetch - Web Sockets

    - Storage Security is not a feature! - @ianaya89 23
  7. Query String - URL Path - Request Body - Cookies

    - Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Security is not a feature! - @ianaya89 32
  8. ⬇ Actualizar Versiones • Node.js (12.18.0 LTS) • npm (6.14.4)

    • express (4.17.1) Security is not a feature! - @ianaya89 38
  9. ! Actualizar Dependencias • npm audit • dependant-bot • Snyk

    Security is not a feature! - @ianaya89 39
  10. ! ✅ SQL / No-SQL Injection • Validar inputs en

    el SERVER • Sanitizar queries • Usar ORM / ODM Security is not a feature! - @ianaya89 42
  11. ! " SQL / No-SQL Injection • mongoose • sequelize

    Security is not a feature! - @ianaya89 43
  12. !✅ XSS • Validar inputs en el SERVER • "Encodear"

    output (HTML) • Secure Response Headers Security is not a feature! - @ianaya89 46
  13. ! " XSS Headers - HSTS - HPKP - X-Frame-Options

    - X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy Secure Headers Security is not a feature! - @ianaya89 47
  14. !" XSS • @hapi/joi • express-validator • helmet • csurf

    (CSRF) Security is not a feature! - @ianaya89 48
  15. ! ✅ DoS • Rate limiting • Manejo de errores

    • "Crasheos" explícitos • Validacion de Regex • Bloqueo de Usuarios / IP Security is not a feature! - @ianaya89 50
  16. ! " DoS • express-rate-limit (basico) • node-rate-limiter-flexible (avanzado) •

    try/cath - catch() - if (err) • safe-regex Security is not a feature! - @ianaya89 51
  17. ! ✅ Sesiones & Tokens • No exponer • Expirar

    • Blacklist o WhiteList • OAUTH - OpenID Security is not a feature! - @ianaya89 53
  18. ! " Sesiones & Tokens • jsonwebtoken • passport •

    Auth0 - Okta - Firebase Security is not a feature! - @ianaya89 54
  19. ! ✅ Passwords • hash + salt (no usar crypto)

    • Contraseñas fuertes (entropia) • MFA Security is not a feature! - @ianaya89 57
  20. ! " Passwords • bcrypt • speakeasy • Auth0 -

    Okta - Firebase • Twilio Security is not a feature! - @ianaya89 58
  21. ! " Have I been pawned? API & DB Security

    is not a feature! - @ianaya89 61
  22. ! Dev Passwords & Secrets • CI • Dev Tools

    • Cloud • Keys - Tokens - Secrets Security is not a feature! - @ianaya89 62
  23. ! ✅ Dev Passwords & Secrets • 1Password • Blackbox

    • GPG • Secret Manager (AWS) • MFA ⚠ Security is not a feature! - @ianaya89 63
  24. ! " Cookies Flags • httpOnly • secure • SameSite

    Security is not a feature! - @ianaya89 65
  25. ! ↩ Cookies Scoping • domain • path • expires

    Security is not a feature! - @ianaya89 66
  26. ! " Logging & Monitoring • datadog & new relic

    (monitoreo) • sentry & bugsnag (errores) • papertrail & loggly (logs) • pingdom & checkly (status) Security is not a feature! - @ianaya89 69
  27. ! Recursos • owasp.org • WebGoat • Web Security Basics

    • MIT Computer Systems Security • The Node.js best practices list • Web Application Security Security is not a feature! - @ianaya89 75