A high level overview of what security measures you can easily take to mitigate common attack vectors on the web. From https to password managers and social engineering to password rules
& security expert • Team: Ninja Unicorns • Upcoming SilverStripe meetup: 3rd of April at Biz Dojo • Author of MFA modules for SilverStripe 3 & 4 • Cat owner • Hans the cow is my mascotte • I have a zoo on my desk • Scarily obsessed with security* • LEGO! • Born Dutch • Bribable with Whisk(e)y, beer or LEGO • I have a lot of stickers! That’s me ➡ Although, I’m standing right over here, if you hadn’t noticed. ⬅ That’s my cat, Marika, she would like a boop That’s Hans ➡ ⬅The zoo Simon `Firesphere` Erkelens | 2018
be second • Security should be the first thing on your mind • Use the tools available • Think about the implications of your work • Have security issues as a part of your checklist • And, remember... Simon `Firesphere` Erkelens | 2018
be breached. If not today, it’ll be tomorrow • Preparing for the worst is better than hoping for the best • Most breaches are due to bad practices by (in no particular order): • SysOps • DevOps • Software Engineers • Clients • End users • CMS Users • P E O P L E Simon `Firesphere` Erkelens | 2018
for social engineering Social engineering is very easy. Even if your target knows it’ll happen, even inviting people to try it, and note that this is a security expert.
we’ll cover • Make sure your own projects are safe • OWASP (You may heard of it?) • Use password managers • Add HTTPS • Update your password rules • Implement Multi Factor Authentication • Add Content Security Policies to your site • Add Subresource Integrity, so you know what runs Simon `Firesphere` Erkelens | 2018
practices • roave/security-advisories • require or require-dev • Keep up to date with the latest known security issues Simon `Firesphere` Erkelens | 2018
Project • Their Top 10 of vulnerability risks is a good place to start • Juice Shop project • Zed Attack Proxy • And a lot more! Simon `Firesphere` Erkelens | 2018
• DO NOT EVER disable pasting of passwords in password fields • Explain to your client why • Explain the benefits • Suggest them to your client, here are a few: • BitWarden (My favourite, I’m not being paid to say this) • 1Password • LastPass Simon `Firesphere` Erkelens | 2018
for “Secure Connection” • Try visiting an http site on hotel wifi and compare it to https • httpforever.com • Let’s Encrypt • CertBot, ACME2, Secure updates… Let’s Encrypt • Don’t go EV, never go EV • Seriously, it’s a waste of money nowadays • Keep your certificates up to date • CertBot does that for you • Register as HSTS • Force HTTPS across your entire site • Show your clients Troy Hunt’s demo if they are not sure Simon `Firesphere` Erkelens | 2018
bit • Check new passwords against known breaches • Block known breached passwords • Doesn’t matter if it wasn’t a breach from your site • Don’t reuse your passwords • Don’t expire passwords • No, seriously, don’t expire passwords • Unless they’re breached that is • Using SilverStripe? • firesphere/haveibeenpwnd Simon `Firesphere` Erkelens | 2018
is better than nothing • Users will not like it • Adds security to your accounts • Does not prevent password leaks though Simon `Firesphere` Erkelens | 2018
the scripts you’re loading really what you think of them? • Base64 of a sha-256/384/512 hash • Store the hash, don’t calculate on runtime • Hash different means block the loading • Analytics change immediately visible • Admitted, it’s bloody annoying while writing code Simon `Firesphere` Erkelens | 2018
firesphere
soudai
inductor
8maki
baseballyama
chibiegg
tomorrowkey
uhyo
usaito
foursue
toru_kubota
taishin
nakasho
chrisshort
deanohume
eileencodes
lynnandtonic
zakiyama
lara
denniskardys
bkeepers
addyosmani
mza
zakiwarfel
![Thank you! @Firesphere https://github.com/Firesphere [email protected] https://speakerdeck.com/firesphere https://casa-laguna.net License: CC BY-NC-ND](https://files.speakerdeck.com/presentations/aa5b5e275b814d299afde57fc922d1ff/slide_29.jpg){kind=link}