Upgrade to Pro — share decks privately, control downloads, hide ads and more …

hey-devs-time-to-care-about-web-apps-security.pdf

Ignacio Anaya
November 20, 2018
0
74

 hey-devs-time-to-care-about-web-apps-security.pdf

Ignacio Anaya

November 20, 2018
Tweet

More Decks by Ignacio Anaya

See All by Ignacio Anaya
Security is not a feature‼️
ianaya89
2
420
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
110
Security is not a feature!
ianaya89
1
310
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
87
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
240
Vue.js, PWA & The Subway Dilemma
ianaya89
0
140
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
97
A Token Walks into SPA
ianaya89
0
500

Featured

See All Featured
Imperfection Machines: The Place of Print at Facebook
scottboms
261
12k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
The Art of Programming - Codeland 2020
erikaheidi
43
12k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
14
8.4k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
For a Future-Friendly Web
brad_frost
172
9k
[RailsConf 2023] Rails as a piece of cake
palkan
28
4k
Teambox: Starting and Learning
jrom
128
8.4k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
A designer walks into a library…
pauljervisheath
201
23k
How STYLIGHT went responsive
nonsquared
92
4.8k

Transcript

  1. Hey Devs, Time to take care about web security! !

    ⏱ Time to take care about web security! - @ianaya89 1

  2. ! Nacho Anaya ! @ianaya89 • JavaScript Engineer @BloqInc •

    Ambassador @Auth0 • Organizer @Vuenos_Aires Time to take care about web security! - @ianaya89 2

  3. !" Time to take care about web security! - @ianaya89

    3

  4. "There are two types of companies: those that have been

    hacked, and those who don't know they have been hacked." John T. Chambers Time to take care about web security! - @ianaya89 4

  5. ! Understand the Problem Time to take care about web

    security! - @ianaya89 5

  6. ! 2017 4.2 billon leaks Time to take care about

    web security! - @ianaya89 6

  7. Time to take care about web security! - @ianaya89 7

  8. ! Loose Money Time to take care about web security!

    - @ianaya89 8

  9. ! Loose Trust Time to take care about web security!

    - @ianaya89 9

  10. ! ⏱ Invest! Time to take care about web security!

    - @ianaya89 10

  11. "If you spend more on coffee than on IT security,

    you will be hacked. Whats more, you deserve to be hacked" Richard A. Clarke Time to take care about web security! - @ianaya89 11

  12. ! Vulnerabili+es Everywhere! Time to take care about web security!

    - @ianaya89 12

  13. Time to take care about web security! - @ianaya89 13

  14. Time to take care about web security! - @ianaya89 14

  15. ! TCP is Complicated Time to take care about web

    security! - @ianaya89 15

  16. HTTP/S - WebSockets - DNS - TCP - FTP -

    IPv4 - IPv6 - SSH- ASCII - IRC Time to take care about web security! - @ianaya89 16

  17. ! Browsers Too Time to take care about web security!

    - @ianaya89 17

  18. HTML - CSS - JS Time to take care about

    web security! - @ianaya89 18

  19. DOM - Geoloca,on - Mul,media - Fetch - Web Sockets

    Time to take care about web security! - @ianaya89 19

  20. ! Understand the Solu/on Time to take care about web

    security! - @ianaya89 20

  21. ! There is no perfect security... Time to take care

    about web security! - @ianaya89 21

  22. ! Security is not a nice to have Time to

    take care about web security! - @ianaya89 22

  23. ! Security is by default Time to take care about

    web security! - @ianaya89 23

  24. ! Always, but always assume the worst Time to take

    care about web security! - @ianaya89 24

  25. ! Hackers gonna hack Time to take care about web

    security! - @ianaya89 25

  26. ! Know your app Time to take care about web

    security! - @ianaya89 26

  27. ! Input Vectors Time to take care about web security!

    - @ianaya89 27

  28. Query String - URL Path - Request Body - Cookies

    - Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Time to take care about web security! - @ianaya89 28

  29. ⚠ Don't trust the users Time to take care about

    web security! - @ianaya89 29

  30. ! Must Do Time to take care about web security!

    - @ianaya89 30

  31. ! HTTPS ! It's 2018 Time to take care about

    web security! - @ianaya89 31

  32. Time to take care about web security! - @ianaya89 32

  33. ! HSTS strict-transport-security-policy Time to take care about web security!

    - @ianaya89 33

  34. ! Injec'on Time to take care about web security! -

    @ianaya89 34

  35. ! ✅ Injec'on • Validate input in the SERVER •

    Sani1ze Everything Time to take care about web security! - @ianaya89 35

  36. ! XSS Time to take care about web security! -

    @ianaya89 36

  37. Time to take care about web security! - @ianaya89 37

  38. ! ✅ XSS • Validate & sani-ze all inputs •

    Encode output (HTML) • Use proper headers Time to take care about web security! - @ianaya89 38

  39. ! " XSS Headers • String-Transport-Security • X-Frame-Op6ons • X-XSS-Protec6on

    • X-Content-Type-Op6ons • Content-Security-Policy Time to take care about web security! - @ianaya89 39

  40. ⚔ CSRF Time to take care about web security! -

    @ianaya89 40

  41. ⚔ ✅ CSRF • Random token in request • same-site

    cookie flag Time to take care about web security! - @ianaya89 41

  42. ! Session Management Time to take care about web security!

    - @ianaya89 42

  43. ! ✅ Session Management • Don't expose token (URL, Browser

    Storage) • Tokens must expire • OAUTH - OpenID - Auth0 Time to take care about web security! - @ianaya89 43

  44. ! Password Management Time to take care about web security!

    - @ianaya89 44

  45. ! ✅ Password Management • bcrypt for hashing (with salt)

    • Strong passwords • MFA Time to take care about web security! - @ianaya89 45

  46. ! Cookie Management Time to take care about web security!

    - @ianaya89 46

  47. ! " Cookie Flags • httpOnly • secure Time to

    take care about web security! - @ianaya89 47

  48. ! ↩ Cookie Scoping • domain • path • expires

    Time to take care about web security! - @ianaya89 48

  49. ! use strict Time to take care about web security!

    - @ianaya89 49

  50. ! Logging & Errors Time to take care about web

    security! - @ianaya89 50

  51. ! Sensi've Data Exposure Time to take care about web

    security! - @ianaya89 51

  52. Time to take care about web security! - @ianaya89 52

  53. ! ✅ Sensi've Data Exposure Just don't! Time to take

    care about web security! - @ianaya89 53

  54. ! OSS Time to take care about web security! -

    @ianaya89 54

  55. ! OWASP Top 10 owasp.org Time to take care about

    web security! - @ianaya89 55

  56. Time to take care about web security! - @ianaya89 56

  57. ! Tools • Re$reJS • npm nsp • docker Time

    to take care about web security! - @ianaya89 57

  58. ! Resources • owasp.org • WebGoat • Web Security Basics

    • MIT Computer Systems Security Time to take care about web security! - @ianaya89 58

  59. ! Time to take care about web security! - @ianaya89

    59

  60. ! Take Away Time to take care about web security!

    - @ianaya89 60

  61. ✌ Promote a security culture! Time to take care about

    web security! - @ianaya89 61

  62. ⏱ Security is important, 1me to take care! Time to

    take care about web security! - @ianaya89 62

  63. ! Thanks! ! Ques&ons? ! @ianaya89 Time to take care

    about web security! - @ianaya89 63