Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web App Security

Alessandro Lepore
October 10, 2017
Technology
1
42

Web App Security

Alessandro Lepore

October 10, 2017
Tweet

More Decks by Alessandro Lepore

See All by Alessandro Lepore
Rails performance optimisation tips
alepore
1
28
Italy
alepore
1
100
Ruby and Rails
alepore
0
67
E-commerce world, Spree/Solidus
alepore
1
150
Ruby Introduction
alepore
0
50
E-commerce is hard
alepore
2
200
Ruby-lang.org
alepore
0
55

Other Decks in Technology

See All in Technology
MixIT 2024 - Pulumi : Gérer son infra avec son langage de programmation préféré
ju_hnny5
0
110
エンジニアのキャリアをちょっと楽しくする3本の軸/Three Pillars to Make an Engineer's Career More Enjoyable
kwappa
0
2.8k
開発パフォーマンスを最大化するための開発体制
ham0215
2
470
LangSmith入門―トレース/評価/プロンプト管理などを担うLLMアプリ開発プラットフォーム
os1ma
4
480
障害対応をちょっとずつよくしていくための 演習の作りかた
heleeen
1
330
私が trocco を推す理由
__allllllllez__
1
270
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
3
570
Azureの基本的な権限管理の勉強会
yhana
0
1.2k
Google Cloud Next '24 Recap(Cloud Run/k8s)
mokocm
0
260
VSCodeの拡張機能を作っている話
ebarakazuhiro
1
650
Postman v10リリース後を振り返る / Looking back at Postman v10 after release
yokawasa
1
160
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
0
460

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Building Flexible Design Systems
yeseniaperezcruz
319
37k
Navigating Team Friction
lara
178
13k
Clear Off the Table
cherdarchuk
84
310k
Optimizing for Happiness
mojombo
370
69k
We Have a Design System, Now What?
morganepeng
43
6.8k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
1k
Side Projects
sachag
451
41k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k

Transcript

  1. Don’t forget about Security In web applications

  2. Cheers from Italy

  3. Alessandro Classic Developer Saw Star Wars false true Saw Star

    Trek false true Gamer false true Drinks coffee false true Drinks beer true true Has beard true true ~2 meters tall true false

  4. 73% Web application attacks accounted for 73% of all incidents

    says report

  5. “At some point in the history of your company, you’re

    probably going to get hacked.” - Heather Adkins, director of security at Google “There are only two types of companies: those that have been hacked, and those that will be.” - Robert Mueller, FBI Director

  6. OWASP Top 10 Most Critical Web Application Security Risks 1.

    Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards

  7. Application Security is ignored or underrated • Complex topic •

    Difficult to sell • “I never had any security incident” ™

  8. “We have our own security system, and it has never

    been breached in more than 15 years” - oilandgasinternational.com

  9. Oilandgasinternational.com, 10 minutes later

  10. App level Security is developer responsibility

  11. “I am secure by default” - Rails

  12. “Show me the code” - anyone

  13. One line of code… what can go wrong?

  14. WARNING: Very advanced hacker skills > brew install sqlmap >

    sqlmap --dump --url= "http://localhost:3000/ilike_search?search_term=rails"

  15. 5 minutes later… complete_database_dump.csv

  16. None

  17. gem install brakeman

  18. gem install bundler-audit

  19. How to be better at security • Have a black

    hoodie • Have basic security knowledge • Know some tools • Have a plan for responding to incidents • Have a security contact page

  20. Bonus: Security is fun!!! • Hacking labs • Challenges •

    Capture the flag • Example: root-me.org
  21. None