& security expert • Team: Ninja Unicorns • Author of MFA modules for SilverStripe 3 & 4 • Cat owner • Hans the cow is my mascotte • I have a zoo on my desk • Scarily obsessed with security* • LEGO! • Born Dutch • Bribable with Whisk(e)y, beer or LEGO • I have a lot of stickers! (Come talk to me if you want one) That’s me ➡ Although, I’m standing right over here, if you hadn’t noticed. ⬅ That’s my cat, Marika, she would like a boop That’s Hans ➡ ⬅The zoo Simon `Firesphere` Erkelens | 2019
be second • Security should be the first thing on your mind • Use the tools available • Think about the implications of your work • Have security issues as a part of your checklist • And, remember... Simon `Firesphere` Erkelens | 2019
be breached. If not today, it’ll be tomorrow • Preparing for the worst is better than hoping for the best • Most breaches are due to bad practices by (in no particular order): • SysOps • DevOps • Software Engineers • Clients • End users • CMS Users • P E O P L E Simon `Firesphere` Erkelens | 2019
for social engineering Social engineering is very easy. Even if your target knows it’ll happen, even inviting people to try it, and note that this is a security expert.
we’ll cover • Make sure your own projects are safe • OWASP • Use password managers • Add HTTPS • Update your password rules • Implement Multi Factor Authentication • Make sure your content is what you expect • Monitor your implementations Simon `Firesphere` Erkelens | 2019
practices • roave/security-advisories • require or require-dev • Keep up to date with the latest known security issues Simon `Firesphere` Erkelens | 2019
Project • Their Top 10 of vulnerability risks is a good place to start • Juice Shop project • Zed Attack Proxy • And a lot more! Simon `Firesphere` Erkelens | 2019
for “Secure Connection” • Try visiting an http site on hotel wifi and compare it to https • httpforever.com • Let’s Encrypt • CertBot, ACME2, Secure updates… Let’s Encrypt • Don’t go EV, never go EV • Seriously, it’s a waste of money nowadays • Keep your certificates up to date • CertBot does that for you • Register as HSTS and set your HSTS time-out • Force HTTPS across your entire site • Show your clients Troy Hunt’s demo if they are not sure Simon `Firesphere` Erkelens | 2019
• DO NOT EVER disable pasting of passwords in password fields • Explain to your client why • Explain the benefits • Suggest them to your client, here are a few: • BitWarden (My favourite, I’m not being paid to say this) • 1Password • LastPass Simon `Firesphere` Erkelens | 2019
bit • Check new passwords against known breaches • Block known breached passwords • Doesn’t matter if it wasn’t a breach from your site • Don’t reuse your passwords • Don’t expire passwords • No, seriously, don’t expire passwords • Unless they’re breached that is • Using SilverStripe? • firesphere/haveibeenpwnd Simon `Firesphere` Erkelens | 2019
is better than nothing • Users will not like it • Adds security to your accounts • Does not prevent password leaks though Simon `Firesphere` Erkelens | 2019
Firewall lockdown for example • Does your admin interface need to be completely public? • What happens on the internet, stays on the internet • Is that S3 bucket secured? Simon `Firesphere` Erkelens | 2019
did I just…” Protect your secrets Be careful what you commit • That secret you commited has been compromised • Check twice, commit once • Immediately invalidate keys if needed Simon `Firesphere` Erkelens | 2019
secure • HTTP Only if you don’t need to read them with javascript • Use the secure flag, only transport cookies over https • Eat them Simon `Firesphere` Erkelens | 2019
the scripts you’re loading really what you think of them? • Base64 of a sha-256/384/512 hash • Store the hash, don’t calculate on runtime • Hash different means block the loading • Analytics change immediately visible • Admitted, it’s bloody annoying while writing code • <script src="//cdn.cloudflare.com/my/library/2.0.dist.js" integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8=" crossorigin="anonymous"> </script> Simon `Firesphere` Erkelens | 2019
sure you’re doing the best you can • Identify missing headers • Links to how to implement missing headers • Advice on how to improve Simon `Firesphere` Erkelens | 2019
make sure you’re doing the best you can • It’s okay, you’re not the only one • Find out how to improve • Improve one step at the time • It’s not critical, but definitely best practice Simon `Firesphere` Erkelens | 2019
firesphere
databricksjapan
uezo
hokuts
toru_kubota
oracle4engineer
inesmontani
lycorptech_jp
freee
shkitayama
ch1aki
smashingmag
denniskardys
chrislema
colly
chriscoyier
danielanewman
andyhume
caitiem20
paulrobertlloyd
moore
addyosmani
sonatard
![Thank you! @Firesphere https://github.com/Firesphere [email protected] https://speakerdeck.com/firesphere https://casa-laguna.net License: CC BY-NC-ND](https://files.speakerdeck.com/presentations/a0eab23ae48f4e4eb8aa5a6e175c3c02/slide_35.jpg){kind=link}
