Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security is not a feature‼️

Ignacio Anaya
February 27, 2021
Programming
2
430

Security is not a feature‼️

JS World 2021

Ignacio Anaya

February 27, 2021
Tweet

More Decks by Ignacio Anaya

See All by Ignacio Anaya
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
120
Security is not a feature!
ianaya89
1
320
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
99
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
250
Vue.js, PWA & The Subway Dilemma
ianaya89
0
160
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
110
hey-devs-time-to-care-about-web-apps-security.pdf
ianaya89
0
89
A Token Walks into SPA
ianaya89
0
530

Other Decks in Programming

See All in Programming
現場で役立つモデリング 超入門
masuda220
PRO
14
3.1k
推し活の ハイトラフィックに立ち向かう Railsとアーキテクチャ - Kaigi on Rails 2024
falcon8823
6
2.6k
役立つログに取り組もう
irof
28
9.2k
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
3
420
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.2k
Tuning GraphQL on Rails
pyama86
2
1.2k
RailsのPull requestsのレビューの時に私が考えていること
yahonda
5
2.6k
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
470
2024/11/8 関西Kaggler会 2024 #3 / Kaggle Kernel で Gemma 2 × vLLM を動かす。
kohecchi
4
480
Realtime API 入門
riofujimon
0
130
EventSourcingの理想と現実
wenas
6
2.2k
Identifying User Idenity
moro
6
9.2k

Featured

See All Featured
The Cost Of JavaScript in 2023
addyosmani
45
6.7k
BBQ
matthewcrist
85
9.3k
Producing Creativity
orderedlist
PRO
341
39k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
Embracing the Ebb and Flow
colly
84
4.5k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Designing for Performance
lara
604
68k
A Philosophy of Restraint
colly
203
16k
Ruby is Unlike a Banana
tanoku
96
11k
What's in a price? How to price your products and services
michaelherold
243
12k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k

Transcript

  1. Security is not a feature !" Security is not a

    feature ‼ - @ianaya89 1

  2. ! Nacho Anaya ! @ianaya89 • ! Lead OSS Engineer

    @ChecklyHQ • " Ambassador @Auth0 • # Streaming @ianaya89 Security is not a feature ‼ - @ianaya89 2

  3. ! Security is not a feature ‼ - @ianaya89 3

  4. !" Security is not a feature ‼ - @ianaya89 4

  5. "There are two types of companies: those that have been

    hacked, and those who don't know they have been hacked." John T. Chambers Security is not a feature ‼ - @ianaya89 5

  6. ! Security is not a feature ‼ - @ianaya89 6

  7. ! Security is not a feature ‼ - @ianaya89 7

  8. Security is not a feature ‼ - @ianaya89 8

  9. Security is not a feature ‼ - @ianaya89 9

  10. Security is not a feature ‼ - @ianaya89 10

  11. Security is not a feature ‼ - @ianaya89 11

  12. ! ~11.3 Billons informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks Security is not a feature ‼

    - @ianaya89 12

  13. Security is not a feature ‼ - @ianaya89 13

  14. ! Security is not a feature ‼ - @ianaya89 14

  15. ! ... ! Uneven Competition Security is not a feature

    ‼ - @ianaya89 15

  16. ! Security is not a feature ‼ - @ianaya89 16

  17. ! Lose Money Security is not a feature ‼ -

    @ianaya89 17

  18. ! Lose Trust Security is not a feature ‼ -

    @ianaya89 18

  19. ! Security is not a feature ‼ - @ianaya89 19

  20. ✍ Culture • ! Training • " Politics • ⏱

    Time • $ Money % Security is not a feature ‼ - @ianaya89 20

  21. "If you spend more on coffee than on IT security,

    you will be hacked. What's more, you deserve to be hacked" Richard A. Clarke Security is not a feature ‼ - @ianaya89 21

  22. ! " Invest! Security is not a feature ‼ -

    @ianaya89 22

  23. ! Security is not a feature ‼ - @ianaya89 23

  24. ! Systemic Thinking Security is not a feature ‼ -

    @ianaya89 24

  25. ! Vulnerabilities Security is not a feature ‼ - @ianaya89

    25

  26. "Vulnerabilities are like ants, they are everywhere" Nacho Anaya Security

    is not a feature ‼ - @ianaya89 26

  27. Heartbleed Security is not a feature ‼ - @ianaya89 27

  28. Security is not a feature ‼ - @ianaya89 28

  29. ! Web is Complex Security is not a feature ‼

    - @ianaya89 29

  30. ! HTTP/S - WebSockets - DNS - TCP FTP -

    IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature ‼ - @ianaya89 30

  31. ! Browsers too Security is not a feature ‼ -

    @ianaya89 31

  32. ! HTML - CSS - JS Security is not a

    feature ‼ - @ianaya89 32

  33. ! DOM - Geolocation - Multimedia Fetch - Web Sockets

    - Storage Security is not a feature ‼ - @ianaya89 33

  34. ! Security is not a feature ‼ - @ianaya89 34

  35. ! The Solution Security is not a feature ‼ -

    @ianaya89 35

  36. ! No perfect solution Security is not a feature ‼

    - @ianaya89 36

  37. ! But we can be ready Security is not a

    feature ‼ - @ianaya89 37

  38. ! Security is not a feature ‼ - @ianaya89 38

  39. ! Security is not "nice to have" Security is not

    a feature ‼ - @ianaya89 39

  40. ! Security is by default Security is not a feature

    ‼ - @ianaya89 40

  41. ! Assume the worst Security is not a feature ‼

    - @ianaya89 41

  42. ALWAYS Security is not a feature ‼ - @ianaya89 42

  43. ! Your app is your bestie Security is not a

    feature ‼ - @ianaya89 43

  44. ! Input vectors Security is not a feature ‼ -

    @ianaya89 44

  45. ! Query String - URL Path - Request Body -

    Cookies Request Headers - Form Fields - File Inputs Emails - Web Socket - Browser Storage - Hooks Security is not a feature ‼ - @ianaya89 45

  46. ⚠ Never trust your users Security is not a feature

    ‼ - @ianaya89 46

  47. ! Security is not a feature ‼ - @ianaya89 47

  48. ! HTTPS ! 2021 Security is not a feature ‼

    - @ianaya89 48

  49. Security is not a feature ‼ - @ianaya89 49

  50. ⬇ LTS Security is not a feature ‼ - @ianaya89

    50

  51. Dependencies Security is not a feature ‼ - @ianaya89 51

  52. Security is not a feature ‼ - @ianaya89 52

  53. ! "Your code is not your code, but their bugs

    are your bugs." Nacho Anaya Security is not a feature ‼ - @ianaya89 53

  54. ! eslint-scope eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes Security is not a feature ‼ -

    @ianaya89 54

  55. Security is not a feature ‼ - @ianaya89 55

  56. Security is not a feature ‼ - @ianaya89 56

  57. Security is not a feature ‼ - @ianaya89 57

  58. ! SQL / No-SQL Injection Security is not a feature

    ‼ - @ianaya89 58

  59. Security is not a feature ‼ - @ianaya89 59

  60. Security is not a feature ‼ - @ianaya89 60

  61. ! SQL / No-SQL Injection • ‼ Server Side Validation

    • " Sanitize queries • # ORM / ODM Security is not a feature ‼ - @ianaya89 61

  62. ! XSS Security is not a feature ‼ - @ianaya89

    62

  63. Security is not a feature ‼ - @ianaya89 63

  64. ! XSS • ‼ Server Side Validation • " Sanitize

    inputs • # HTML encoding • $ Frameworks • % HTTP Secure Response Headers Security is not a feature ‼ - @ianaya89 64

  65. ! XSS Headers - HSTS - HPKP - X-Frame-Options -

    X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy ! Secure Headers Security is not a feature ‼ - @ianaya89 65

  66. ! DoS Security is not a feature ‼ - @ianaya89

    66

  67. Security is not a feature ‼ - @ianaya89 67

  68. ! DoS • ⌛ Rate Limiting • ❌ Error handling

    • # Explicit Crashes • $ Exponential Regex • % IP Banning Security is not a feature ‼ - @ianaya89 68

  69. ! Sessions & Tokens Security is not a feature ‼

    - @ianaya89 69

  70. ! Sessions & Tokens • ⏱ Expirable • " Allow

    List or Deny List • # OAUTH - OpenID • $ Single Sign On Security is not a feature ‼ - @ianaya89 70

  71. ! Passwords Security is not a feature ‼ - @ianaya89

    71

  72. Time to crack Security is not a feature ‼ -

    @ianaya89 72

  73. ! Passwords • ! hash + salt (bcrypt) • "

    Strong Passwords (Entropy) • # 2FA / MFA Security is not a feature ‼ - @ianaya89 73

  74. ! " Have I been pawned? https://haveibeenpwned.com Security is not

    a feature ‼ - @ianaya89 74

  75. ! " Have I been pawned? https://haveibeenpwned.com Security is not

    a feature ‼ - @ianaya89 75

  76. ! " Have I been pawned? ! API & DB

    Security is not a feature ‼ - @ianaya89 76

  77. ! Dev Passwords & Secrets • ! CI • "

    Dev Tools • # Cloud • $ Keys - Tokens - Secrets Security is not a feature ‼ - @ianaya89 77

  78. ! Dev Passwords & Secrets • Blackbox • Keybase •

    GPG • Password Managers • Secret Manager (AWS) • MFA ! Security is not a feature ‼ - @ianaya89 78

  79. ! Cookies Security is not a feature ‼ - @ianaya89

    79

  80. ! " Cookies Flags • httpOnly • secure • SameSite

    Security is not a feature ‼ - @ianaya89 80

  81. ! ↩ Cookies Scoping • domain • path • expires

    Security is not a feature ‼ - @ianaya89 81

  82. ! Logging & Monitoring Security is not a feature ‼

    - @ianaya89 82

  83. ! " Logging & Monitoring • ! Monitoring: datadog /

    new relic • " Errors: sentry / bugsnag • # Logs: papertrail / loggly • $ Status: checkly / pingdom Security is not a feature ‼ - @ianaya89 83

  84. ! Sensitive Data Security is not a feature ‼ -

    @ianaya89 84

  85. Security is not a feature ‼ - @ianaya89 85

  86. Security is not a feature ‼ - @ianaya89 86

  87. ! OWASP Top 10 owasp.org Security is not a feature

    ‼ - @ianaya89 87

  88. ! WebGoat $ docker pull webgoat/webgoat-8.0 $ docker run -p

    8080:8080 -t webgoat/webgoat-8.0 Security is not a feature ‼ - @ianaya89 88

  89. ! Take Away Security is not a feature ‼ -

    @ianaya89 89

  90. Security is not a feature ‼ - @ianaya89 90

  91. ! Start taking care Security is not a feature ‼

    - @ianaya89 91

  92. ! Security is not a feature ‼ - @ianaya89 92

  93. ! Thanks! ! Questions? ! @ianaya89 Security is not a

    feature ‼ - @ianaya89 93