Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web App Security

Alessandro Lepore
October 10, 2017
Technology
1
43

Web App Security

Alessandro Lepore

October 10, 2017
Tweet

More Decks by Alessandro Lepore

See All by Alessandro Lepore
Rails performance optimisation tips
alepore
1
30
Italy
alepore
1
110
Ruby and Rails
alepore
0
74
E-commerce world, Spree/Solidus
alepore
1
160
Ruby Introduction
alepore
0
61
E-commerce is hard
alepore
2
210
Ruby-lang.org
alepore
0
67

Other Decks in Technology

See All in Technology
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
300
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
430
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
940
TypeScript、上達の瞬間
sadnessojisan
46
13k
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
120
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
DMARC 対応の話 - MIXI CTO オフィスアワー #04
bbqallstars
1
160
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
Terraform CI/CD パイプラインにおける AWS CodeCommit の代替手段
hiyanger
1
240
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
370
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
190

Featured

See All Featured
Unsuck your backbone
ammeep
668
57k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
YesSQL, Process and Tooling at Scale
rocio
169
14k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Building Your Own Lightsaber
phodgson
103
6.1k
Rails Girls Zürich Keynote
gr2m
94
13k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
Faster Mobile Websites
deanohume
305
30k

Transcript

  1. Don’t forget about Security In web applications

  2. Cheers from Italy

  3. Alessandro Classic Developer Saw Star Wars false true Saw Star

    Trek false true Gamer false true Drinks coffee false true Drinks beer true true Has beard true true ~2 meters tall true false

  4. 73% Web application attacks accounted for 73% of all incidents

    says report

  5. “At some point in the history of your company, you’re

    probably going to get hacked.” - Heather Adkins, director of security at Google “There are only two types of companies: those that have been hacked, and those that will be.” - Robert Mueller, FBI Director

  6. OWASP Top 10 Most Critical Web Application Security Risks 1.

    Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards

  7. Application Security is ignored or underrated • Complex topic •

    Difficult to sell • “I never had any security incident” ™

  8. “We have our own security system, and it has never

    been breached in more than 15 years” - oilandgasinternational.com

  9. Oilandgasinternational.com, 10 minutes later

  10. App level Security is developer responsibility

  11. “I am secure by default” - Rails

  12. “Show me the code” - anyone

  13. One line of code… what can go wrong?

  14. WARNING: Very advanced hacker skills > brew install sqlmap >

    sqlmap --dump --url= "http://localhost:3000/ilike_search?search_term=rails"

  15. 5 minutes later… complete_database_dump.csv

  16. None

  17. gem install brakeman

  18. gem install bundler-audit

  19. How to be better at security • Have a black

    hoodie • Have basic security knowledge • Know some tools • Have a plan for responding to incidents • Have a security contact page

  20. Bonus: Security is fun!!! • Hacking labs • Challenges •

    Capture the flag • Example: root-me.org
  21. None