Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
hey-devs-time-to-care-about-web-apps-security.pdf
Search
Ignacio Anaya
November 20, 2018
0
92
hey-devs-time-to-care-about-web-apps-security.pdf
Ignacio Anaya
November 20, 2018
Tweet
Share
More Decks by Ignacio Anaya
See All by Ignacio Anaya
Security is not a feature‼️
ianaya89
2
450
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
120
Security is not a feature!
ianaya89
1
330
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
100
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
260
Vue.js, PWA & The Subway Dilemma
ianaya89
0
160
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
110
A Token Walks into SPA
ianaya89
0
540
Featured
See All Featured
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
5
450
Statistics for Hackers
jakevdp
796
220k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Raft: Consensus for Rubyists
vanstee
137
6.7k
Thoughts on Productivity
jonyablonski
67
4.4k
What's in a price? How to price your products and services
michaelherold
243
12k
Testing 201, or: Great Expectations
jmmastey
40
7.1k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
Scaling GitHub
holman
458
140k
How STYLIGHT went responsive
nonsquared
95
5.2k
Designing Experiences People Love
moore
138
23k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Transcript
Hey Devs, Time to take care about web security! !
⏱ Time to take care about web security! - @ianaya89 1
! Nacho Anaya ! @ianaya89 • JavaScript Engineer @BloqInc •
Ambassador @Auth0 • Organizer @Vuenos_Aires Time to take care about web security! - @ianaya89 2
!" Time to take care about web security! - @ianaya89
3
"There are two types of companies: those that have been
hacked, and those who don't know they have been hacked." John T. Chambers Time to take care about web security! - @ianaya89 4
! Understand the Problem Time to take care about web
security! - @ianaya89 5
! 2017 4.2 billon leaks Time to take care about
web security! - @ianaya89 6
Time to take care about web security! - @ianaya89 7
! Loose Money Time to take care about web security!
- @ianaya89 8
! Loose Trust Time to take care about web security!
- @ianaya89 9
! ⏱ Invest! Time to take care about web security!
- @ianaya89 10
"If you spend more on coffee than on IT security,
you will be hacked. Whats more, you deserve to be hacked" Richard A. Clarke Time to take care about web security! - @ianaya89 11
! Vulnerabili+es Everywhere! Time to take care about web security!
- @ianaya89 12
Time to take care about web security! - @ianaya89 13
Time to take care about web security! - @ianaya89 14
! TCP is Complicated Time to take care about web
security! - @ianaya89 15
HTTP/S - WebSockets - DNS - TCP - FTP -
IPv4 - IPv6 - SSH- ASCII - IRC Time to take care about web security! - @ianaya89 16
! Browsers Too Time to take care about web security!
- @ianaya89 17
HTML - CSS - JS Time to take care about
web security! - @ianaya89 18
DOM - Geoloca,on - Mul,media - Fetch - Web Sockets
Time to take care about web security! - @ianaya89 19
! Understand the Solu/on Time to take care about web
security! - @ianaya89 20
! There is no perfect security... Time to take care
about web security! - @ianaya89 21
! Security is not a nice to have Time to
take care about web security! - @ianaya89 22
! Security is by default Time to take care about
web security! - @ianaya89 23
! Always, but always assume the worst Time to take
care about web security! - @ianaya89 24
! Hackers gonna hack Time to take care about web
security! - @ianaya89 25
! Know your app Time to take care about web
security! - @ianaya89 26
! Input Vectors Time to take care about web security!
- @ianaya89 27
Query String - URL Path - Request Body - Cookies
- Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Time to take care about web security! - @ianaya89 28
⚠ Don't trust the users Time to take care about
web security! - @ianaya89 29
! Must Do Time to take care about web security!
- @ianaya89 30
! HTTPS ! It's 2018 Time to take care about
web security! - @ianaya89 31
Time to take care about web security! - @ianaya89 32
! HSTS strict-transport-security-policy Time to take care about web security!
- @ianaya89 33
! Injec'on Time to take care about web security! -
@ianaya89 34
! ✅ Injec'on • Validate input in the SERVER •
Sani1ze Everything Time to take care about web security! - @ianaya89 35
! XSS Time to take care about web security! -
@ianaya89 36
Time to take care about web security! - @ianaya89 37
! ✅ XSS • Validate & sani-ze all inputs •
Encode output (HTML) • Use proper headers Time to take care about web security! - @ianaya89 38
! " XSS Headers • String-Transport-Security • X-Frame-Op6ons • X-XSS-Protec6on
• X-Content-Type-Op6ons • Content-Security-Policy Time to take care about web security! - @ianaya89 39
⚔ CSRF Time to take care about web security! -
@ianaya89 40
⚔ ✅ CSRF • Random token in request • same-site
cookie flag Time to take care about web security! - @ianaya89 41
! Session Management Time to take care about web security!
- @ianaya89 42
! ✅ Session Management • Don't expose token (URL, Browser
Storage) • Tokens must expire • OAUTH - OpenID - Auth0 Time to take care about web security! - @ianaya89 43
! Password Management Time to take care about web security!
- @ianaya89 44
! ✅ Password Management • bcrypt for hashing (with salt)
• Strong passwords • MFA Time to take care about web security! - @ianaya89 45
! Cookie Management Time to take care about web security!
- @ianaya89 46
! " Cookie Flags • httpOnly • secure Time to
take care about web security! - @ianaya89 47
! ↩ Cookie Scoping • domain • path • expires
Time to take care about web security! - @ianaya89 48
! use strict Time to take care about web security!
- @ianaya89 49
! Logging & Errors Time to take care about web
security! - @ianaya89 50
! Sensi've Data Exposure Time to take care about web
security! - @ianaya89 51
Time to take care about web security! - @ianaya89 52
! ✅ Sensi've Data Exposure Just don't! Time to take
care about web security! - @ianaya89 53
! OSS Time to take care about web security! -
@ianaya89 54
! OWASP Top 10 owasp.org Time to take care about
web security! - @ianaya89 55
Time to take care about web security! - @ianaya89 56
! Tools • Re$reJS • npm nsp • docker Time
to take care about web security! - @ianaya89 57
! Resources • owasp.org • WebGoat • Web Security Basics
• MIT Computer Systems Security Time to take care about web security! - @ianaya89 58
! Time to take care about web security! - @ianaya89
59
! Take Away Time to take care about web security!
- @ianaya89 60
✌ Promote a security culture! Time to take care about
web security! - @ianaya89 61
⏱ Security is important, 1me to take care! Time to
take care about web security! - @ianaya89 62
! Thanks! ! Ques&ons? ! @ianaya89 Time to take care
about web security! - @ianaya89 63