Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security is not a feature!
Search
Ignacio Anaya
June 13, 2020
Technology
1
320
Security is not a feature!
Ignacio Anaya
June 13, 2020
Tweet
Share
More Decks by Ignacio Anaya
See All by Ignacio Anaya
Security is not a feature‼️
ianaya89
2
430
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
120
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
99
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
250
Vue.js, PWA & The Subway Dilemma
ianaya89
0
160
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
110
hey-devs-time-to-care-about-web-apps-security.pdf
ianaya89
0
89
A Token Walks into SPA
ianaya89
0
530
Other Decks in Technology
See All in Technology
"君は見ているが観察していない"で考えるインシデントマネジメント
grimoh
4
970
DatabricksにおけるLLMOpsのベストプラクティス
taka_aki
4
1.6k
Autify Company Deck
autifyhq
1
39k
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
1
210
[FOSS4G 2024 Japan LT] LLMを使ってGISデータ解析を自動化したい!
nssv
0
140
10分でわかるfreeeのQA
freee
1
3.4k
Forget efficiency – Become more productive without the stress
ufried
0
230
re:Invent 2024のおすすめセッション
beli68
0
110
Intuneお役立ちツールのご紹介
sukank
3
700
形式手法の 10 メートル手前 #kernelvm / Kernel VM Study Hokuriku Part 7
ytaka23
5
710
社内で最大の技術的負債のリファクタリングに取り組んだお話し
kidooonn
0
330
Shift-from-React-to-Vue
calm1205
4
1.6k
Featured
See All Featured
Visualization
eitanlees
145
15k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Designing for Performance
lara
604
68k
Code Review Best Practice
trishagee
64
17k
Teambox: Starting and Learning
jrom
133
8.8k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
What's in a price? How to price your products and services
michaelherold
243
12k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Transcript
Security is not a feature! ! Security is not a
feature! - @ianaya89 1
! Nacho Anaya ! @ianaya89 • ! Principal Engineer https://
twitter.com/@BalloonPlatform • " Ambassador @Auth0 & @GitKraken • # Tech Speaker @MozTechSpeakers • $ Organizador @Vuenos_Aires Security is not a feature! - @ianaya89 2
!" Security is not a feature! - @ianaya89 3
"Hay dos tipos de empresas: aquellas que han sido hackeadas
y aquellas que todavía no saben que han sido hackeadas" John T. Chambers Security is not a feature! - @ianaya89 4
! Entender el problema Security is not a feature! -
@ianaya89 5
! Zoom Security is not a feature! - @ianaya89 6
Competencia Despareja ! ... Security is not a feature! -
@ianaya89 7
! 3.5 Billones Security is not a feature! - @ianaya89
8
Security is not a feature! - @ianaya89 9
! Perdida de Dinero Security is not a feature! -
@ianaya89 10
! Perdida de Confianza Security is not a feature! -
@ianaya89 11
! Cultura • ! Capacitación • " Politicas • ⏱
Tiempo • $ Dinero Security is not a feature! - @ianaya89 12
"Si gastas mas dinero en cafe que en Seguridad IT,
vas a ser hackeado. En realidad, te mereces ser hackeado" Richard A. Clarke Security is not a feature! - @ianaya89 13
! " Invertir! Security is not a feature! - @ianaya89
14
! Mirada Sistémica Security is not a feature! - @ianaya89
15
! Vulnerabilidades Security is not a feature! - @ianaya89 16
Heartbleed Security is not a feature! - @ianaya89 17
Security is not a feature! - @ianaya89 18
! TCP es complejo Security is not a feature! -
@ianaya89 19
HTTP/S - WebSockets - DNS - TCP - FTP -
IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature! - @ianaya89 20
! Los navegadores tambien Security is not a feature! -
@ianaya89 21
HTML - CSS - JS Security is not a feature!
- @ianaya89 22
DOM - Geolocation - Multimedia - Fetch - Web Sockets
- Storage Security is not a feature! - @ianaya89 23
! Entender la Solución Security is not a feature! -
@ianaya89 24
! No hay solución perfecta Security is not a feature!
- @ianaya89 25
! Pero podemos prepararnos Security is not a feature! -
@ianaya89 26
! Seguridad no es "nice to have" Security is not
a feature! - @ianaya89 27
! Seguridad por defecto Security is not a feature! -
@ianaya89 28
! Siempre, pero siempre... Asumamos lo peor Security is not
a feature! - @ianaya89 29
! Conocer tu Aplicación. Security is not a feature! -
@ianaya89 30
! Vectores de Entrada Security is not a feature! -
@ianaya89 31
Query String - URL Path - Request Body - Cookies
- Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Security is not a feature! - @ianaya89 32
⚠ No confiar en los usuarios Security is not a
feature! - @ianaya89 33
✅ Checklist de Seguridad Security is not a feature! -
@ianaya89 34
! Security is not a feature! - @ianaya89 35
! HTTPS ! 2020 Security is not a feature! -
@ianaya89 36
Security is not a feature! - @ianaya89 37
⬇ Actualizar Versiones • Node.js (12.18.0 LTS) • npm (6.14.4)
• express (4.17.1) Security is not a feature! - @ianaya89 38
! Actualizar Dependencias • npm audit • dependant-bot • Snyk
Security is not a feature! - @ianaya89 39
! Linter eslint-plugin-security Security is not a feature! - @ianaya89
40
! SQL / No-SQL Injection Security is not a feature!
- @ianaya89 41
! ✅ SQL / No-SQL Injection • Validar inputs en
el SERVER • Sanitizar queries • Usar ORM / ODM Security is not a feature! - @ianaya89 42
! " SQL / No-SQL Injection • mongoose • sequelize
Security is not a feature! - @ianaya89 43
! XSS Security is not a feature! - @ianaya89 44
Security is not a feature! - @ianaya89 45
!✅ XSS • Validar inputs en el SERVER • "Encodear"
output (HTML) • Secure Response Headers Security is not a feature! - @ianaya89 46
! " XSS Headers - HSTS - HPKP - X-Frame-Options
- X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy Secure Headers Security is not a feature! - @ianaya89 47
!" XSS • @hapi/joi • express-validator • helmet • csurf
(CSRF) Security is not a feature! - @ianaya89 48
! DoS Security is not a feature! - @ianaya89 49
! ✅ DoS • Rate limiting • Manejo de errores
• "Crasheos" explícitos • Validacion de Regex • Bloqueo de Usuarios / IP Security is not a feature! - @ianaya89 50
! " DoS • express-rate-limit (basico) • node-rate-limiter-flexible (avanzado) •
try/cath - catch() - if (err) • safe-regex Security is not a feature! - @ianaya89 51
! Sesiones & Tokens Security is not a feature! -
@ianaya89 52
! ✅ Sesiones & Tokens • No exponer • Expirar
• Blacklist o WhiteList • OAUTH - OpenID Security is not a feature! - @ianaya89 53
! " Sesiones & Tokens • jsonwebtoken • passport •
Auth0 - Okta - Firebase Security is not a feature! - @ianaya89 54
! Passwords Security is not a feature! - @ianaya89 55
Time to crack Security is not a feature! - @ianaya89
56
! ✅ Passwords • hash + salt (no usar crypto)
• Contraseñas fuertes (entropia) • MFA Security is not a feature! - @ianaya89 57
! " Passwords • bcrypt • speakeasy • Auth0 -
Okta - Firebase • Twilio Security is not a feature! - @ianaya89 58
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature! - @ianaya89 59
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature! - @ianaya89 60
! " Have I been pawned? API & DB Security
is not a feature! - @ianaya89 61
! Dev Passwords & Secrets • CI • Dev Tools
• Cloud • Keys - Tokens - Secrets Security is not a feature! - @ianaya89 62
! ✅ Dev Passwords & Secrets • 1Password • Blackbox
• GPG • Secret Manager (AWS) • MFA ⚠ Security is not a feature! - @ianaya89 63
! Cookies Security is not a feature! - @ianaya89 64
! " Cookies Flags • httpOnly • secure • SameSite
Security is not a feature! - @ianaya89 65
! ↩ Cookies Scoping • domain • path • expires
Security is not a feature! - @ianaya89 66
! Logging & Monitoring Security is not a feature! -
@ianaya89 67
! " Logging & Monitoring • winston • express-status-monitor Security
is not a feature! - @ianaya89 68
! " Logging & Monitoring • datadog & new relic
(monitoreo) • sentry & bugsnag (errores) • papertrail & loggly (logs) • pingdom & checkly (status) Security is not a feature! - @ianaya89 69
! Exponer Información Sensible Security is not a feature! -
@ianaya89 70
Security is not a feature! - @ianaya89 71
! ✅ Exponer Información Sensible Simplemente no! Security is not
a feature! - @ianaya89 72
Security is not a feature! - @ianaya89 73
! OWASP Top 10 owasp.org Security is not a feature!
- @ianaya89 74
! Recursos • owasp.org • WebGoat • Web Security Basics
• MIT Computer Systems Security • The Node.js best practices list • Web Application Security Security is not a feature! - @ianaya89 75
! Take Away Security is not a feature! - @ianaya89
76
Security is not a feature! - @ianaya89 77
✌ Crear una cultura de seguridad Security is not a
feature! - @ianaya89 78
! Security is not a feature! - @ianaya89 79
! Gracias! ! Preguntas? ! @ianaya89 Security is not a
feature! - @ianaya89 80