Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security is not a feature‼️

Security is not a feature‼️

JS World 2021

Ignacio Anaya

February 27, 2021
Tweet

More Decks by Ignacio Anaya

Other Decks in Programming

Transcript

  1. ! Nacho Anaya ! @ianaya89 • ! Lead OSS Engineer

    @ChecklyHQ • " Ambassador @Auth0 • # Streaming @ianaya89 Security is not a feature ‼ - @ianaya89 2
  2. "There are two types of companies: those that have been

    hacked, and those who don't know they have been hacked." John T. Chambers Security is not a feature ‼ - @ianaya89 5
  3. ✍ Culture • ! Training • " Politics • ⏱

    Time • $ Money % Security is not a feature ‼ - @ianaya89 20
  4. "If you spend more on coffee than on IT security,

    you will be hacked. What's more, you deserve to be hacked" Richard A. Clarke Security is not a feature ‼ - @ianaya89 21
  5. ! HTTP/S - WebSockets - DNS - TCP FTP -

    IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature ‼ - @ianaya89 30
  6. ! HTML - CSS - JS Security is not a

    feature ‼ - @ianaya89 32
  7. ! DOM - Geolocation - Multimedia Fetch - Web Sockets

    - Storage Security is not a feature ‼ - @ianaya89 33
  8. ! But we can be ready Security is not a

    feature ‼ - @ianaya89 37
  9. ! Your app is your bestie Security is not a

    feature ‼ - @ianaya89 43
  10. ! Query String - URL Path - Request Body -

    Cookies Request Headers - Form Fields - File Inputs Emails - Web Socket - Browser Storage - Hooks Security is not a feature ‼ - @ianaya89 45
  11. ! "Your code is not your code, but their bugs

    are your bugs." Nacho Anaya Security is not a feature ‼ - @ianaya89 53
  12. ! SQL / No-SQL Injection • ‼ Server Side Validation

    • " Sanitize queries • # ORM / ODM Security is not a feature ‼ - @ianaya89 61
  13. ! XSS • ‼ Server Side Validation • " Sanitize

    inputs • # HTML encoding • $ Frameworks • % HTTP Secure Response Headers Security is not a feature ‼ - @ianaya89 64
  14. ! XSS Headers - HSTS - HPKP - X-Frame-Options -

    X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy ! Secure Headers Security is not a feature ‼ - @ianaya89 65
  15. ! DoS • ⌛ Rate Limiting • ❌ Error handling

    • # Explicit Crashes • $ Exponential Regex • % IP Banning Security is not a feature ‼ - @ianaya89 68
  16. ! Sessions & Tokens • ⏱ Expirable • " Allow

    List or Deny List • # OAUTH - OpenID • $ Single Sign On Security is not a feature ‼ - @ianaya89 70
  17. ! Passwords • ! hash + salt (bcrypt) • "

    Strong Passwords (Entropy) • # 2FA / MFA Security is not a feature ‼ - @ianaya89 73
  18. ! " Have I been pawned? ! API & DB

    Security is not a feature ‼ - @ianaya89 76
  19. ! Dev Passwords & Secrets • ! CI • "

    Dev Tools • # Cloud • $ Keys - Tokens - Secrets Security is not a feature ‼ - @ianaya89 77
  20. ! Dev Passwords & Secrets • Blackbox • Keybase •

    GPG • Password Managers • Secret Manager (AWS) • MFA ! Security is not a feature ‼ - @ianaya89 78
  21. ! " Cookies Flags • httpOnly • secure • SameSite

    Security is not a feature ‼ - @ianaya89 80
  22. ! ↩ Cookies Scoping • domain • path • expires

    Security is not a feature ‼ - @ianaya89 81
  23. ! " Logging & Monitoring • ! Monitoring: datadog /

    new relic • " Errors: sentry / bugsnag • # Logs: papertrail / loggly • $ Status: checkly / pingdom Security is not a feature ‼ - @ianaya89 83
  24. ! WebGoat $ docker pull webgoat/webgoat-8.0 $ docker run -p

    8080:8080 -t webgoat/webgoat-8.0 Security is not a feature ‼ - @ianaya89 88