Upgrade to Pro — share decks privately, control downloads, hide ads and more …

hey-devs-time-to-care-about-web-apps-security.pdf

6c3e7ef20801b4b967dc1643f63d6233?s=47 Ignacio Anaya
November 20, 2018
45

Β hey-devs-time-to-care-about-web-apps-security.pdf

6c3e7ef20801b4b967dc1643f63d6233?s=128

Ignacio Anaya

November 20, 2018
Tweet

Transcript

  1. Hey Devs, Time to take care about web security! !

    ⏱ Time to take care about web security! - @ianaya89 1
  2. ! Nacho Anaya ! @ianaya89 β€’ JavaScript Engineer @BloqInc β€’

    Ambassador @Auth0 β€’ Organizer @Vuenos_Aires Time to take care about web security! - @ianaya89 2
  3. !" Time to take care about web security! - @ianaya89

    3
  4. "There are two types of companies: those that have been

    hacked, and those who don't know they have been hacked." John T. Chambers Time to take care about web security! - @ianaya89 4
  5. ! Understand the Problem Time to take care about web

    security! - @ianaya89 5
  6. ! 2017 4.2 billon leaks Time to take care about

    web security! - @ianaya89 6
  7. Time to take care about web security! - @ianaya89 7

  8. ! Loose Money Time to take care about web security!

    - @ianaya89 8
  9. ! Loose Trust Time to take care about web security!

    - @ianaya89 9
  10. ! ⏱ Invest! Time to take care about web security!

    - @ianaya89 10
  11. "If you spend more on coffee than on IT security,

    you will be hacked. Whats more, you deserve to be hacked" Richard A. Clarke Time to take care about web security! - @ianaya89 11
  12. ! Vulnerabili+es Everywhere! Time to take care about web security!

    - @ianaya89 12
  13. Time to take care about web security! - @ianaya89 13

  14. Time to take care about web security! - @ianaya89 14

  15. ! TCP is Complicated Time to take care about web

    security! - @ianaya89 15
  16. HTTP/S - WebSockets - DNS - TCP - FTP -

    IPv4 - IPv6 - SSH- ASCII - IRC Time to take care about web security! - @ianaya89 16
  17. ! Browsers Too Time to take care about web security!

    - @ianaya89 17
  18. HTML - CSS - JS Time to take care about

    web security! - @ianaya89 18
  19. DOM - Geoloca,on - Mul,media - Fetch - Web Sockets

    Time to take care about web security! - @ianaya89 19
  20. ! Understand the Solu/on Time to take care about web

    security! - @ianaya89 20
  21. ! There is no perfect security... Time to take care

    about web security! - @ianaya89 21
  22. ! Security is not a nice to have Time to

    take care about web security! - @ianaya89 22
  23. ! Security is by default Time to take care about

    web security! - @ianaya89 23
  24. ! Always, but always assume the worst Time to take

    care about web security! - @ianaya89 24
  25. ! Hackers gonna hack Time to take care about web

    security! - @ianaya89 25
  26. ! Know your app Time to take care about web

    security! - @ianaya89 26
  27. ! Input Vectors Time to take care about web security!

    - @ianaya89 27
  28. Query String - URL Path - Request Body - Cookies

    - Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Time to take care about web security! - @ianaya89 28
  29. ⚠ Don't trust the users Time to take care about

    web security! - @ianaya89 29
  30. ! Must Do Time to take care about web security!

    - @ianaya89 30
  31. ! HTTPS ! It's 2018 Time to take care about

    web security! - @ianaya89 31
  32. Time to take care about web security! - @ianaya89 32

  33. ! HSTS strict-transport-security-policy Time to take care about web security!

    - @ianaya89 33
  34. ! Injec'on Time to take care about web security! -

    @ianaya89 34
  35. ! βœ… Injec'on β€’ Validate input in the SERVER β€’

    Sani1ze Everything Time to take care about web security! - @ianaya89 35
  36. ! XSS Time to take care about web security! -

    @ianaya89 36
  37. Time to take care about web security! - @ianaya89 37

  38. ! βœ… XSS β€’ Validate & sani-ze all inputs β€’

    Encode output (HTML) β€’ Use proper headers Time to take care about web security! - @ianaya89 38
  39. ! " XSS Headers β€’ String-Transport-Security β€’ X-Frame-Op6ons β€’ X-XSS-Protec6on

    β€’ X-Content-Type-Op6ons β€’ Content-Security-Policy Time to take care about web security! - @ianaya89 39
  40. βš” CSRF Time to take care about web security! -

    @ianaya89 40
  41. βš” βœ… CSRF β€’ Random token in request β€’ same-site

    cookie flag Time to take care about web security! - @ianaya89 41
  42. ! Session Management Time to take care about web security!

    - @ianaya89 42
  43. ! βœ… Session Management β€’ Don't expose token (URL, Browser

    Storage) β€’ Tokens must expire β€’ OAUTH - OpenID - Auth0 Time to take care about web security! - @ianaya89 43
  44. ! Password Management Time to take care about web security!

    - @ianaya89 44
  45. ! βœ… Password Management β€’ bcrypt for hashing (with salt)

    β€’ Strong passwords β€’ MFA Time to take care about web security! - @ianaya89 45
  46. ! Cookie Management Time to take care about web security!

    - @ianaya89 46
  47. ! " Cookie Flags β€’ httpOnly β€’ secure Time to

    take care about web security! - @ianaya89 47
  48. ! ↩ Cookie Scoping β€’ domain β€’ path β€’ expires

    Time to take care about web security! - @ianaya89 48
  49. ! use strict Time to take care about web security!

    - @ianaya89 49
  50. ! Logging & Errors Time to take care about web

    security! - @ianaya89 50
  51. ! Sensi've Data Exposure Time to take care about web

    security! - @ianaya89 51
  52. Time to take care about web security! - @ianaya89 52

  53. ! βœ… Sensi've Data Exposure Just don't! Time to take

    care about web security! - @ianaya89 53
  54. ! OSS Time to take care about web security! -

    @ianaya89 54
  55. ! OWASP Top 10 owasp.org Time to take care about

    web security! - @ianaya89 55
  56. Time to take care about web security! - @ianaya89 56

  57. ! Tools β€’ Re$reJS β€’ npm nsp β€’ docker Time

    to take care about web security! - @ianaya89 57
  58. ! Resources β€’ owasp.org β€’ WebGoat β€’ Web Security Basics

    β€’ MIT Computer Systems Security Time to take care about web security! - @ianaya89 58
  59. ! Time to take care about web security! - @ianaya89

    59
  60. ! Take Away Time to take care about web security!

    - @ianaya89 60
  61. ✌ Promote a security culture! Time to take care about

    web security! - @ianaya89 61
  62. ⏱ Security is important, 1me to take care! Time to

    take care about web security! - @ianaya89 62
  63. ! Thanks! ! Ques&ons? ! @ianaya89 Time to take care

    about web security! - @ianaya89 63