Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security is not a feature!
Search
Ignacio Anaya
June 13, 2020
Technology
1
320
Security is not a feature!
Ignacio Anaya
June 13, 2020
Tweet
Share
More Decks by Ignacio Anaya
See All by Ignacio Anaya
Security is not a feature‼️
ianaya89
2
430
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
120
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
99
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
250
Vue.js, PWA & The Subway Dilemma
ianaya89
0
160
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
110
hey-devs-time-to-care-about-web-apps-security.pdf
ianaya89
0
89
A Token Walks into SPA
ianaya89
0
530
Other Decks in Technology
See All in Technology
AWS CodePipelineでコンテナアプリをデプロイした際に、古いイメージを自動で削除する
smt7174
1
130
軽量DDDはもういらない! スタイルガイド本で OOPの実装パターンを学ぼう
panda_program
29
11k
ライブラリでしかお目にかかれない珍しい実装
mikanichinose
2
330
福岡新卒エンジニアの会
teba_eleven
1
180
AIチャットボット開発への生成AI活用
ryomrt
0
110
ZOZOTOWNのホーム画面をパーソナライズすることの難しさと裏話を語る
f6wbl6
1
470
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
9
120k
コンテナのトラブルシューティング目線から AWS SAW についてしゃべってみる
kazzpapa3
1
120
形式手法の 10 メートル手前 #kernelvm / Kernel VM Study Hokuriku Part 7
ytaka23
5
740
10分でわかるfreeeのQA
freee
1
3.4k
Datachain会社紹介資料(2024年11月) / Company Deck
datachain
4
17k
「 SharePoint 難しい」ってよく聞くけど、そんなに言うなら8歳の息子に試してもらった
taichinakamura
2
790
Featured
See All Featured
Become a Pro
speakerdeck
PRO
25
5k
The Language of Interfaces
destraynor
154
24k
Faster Mobile Websites
deanohume
305
30k
GitHub's CSS Performance
jonrohan
1030
460k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Designing for humans not robots
tammielis
249
25k
The Invisible Side of Design
smashingmag
297
50k
Building Your Own Lightsaber
phodgson
102
6.1k
YesSQL, Process and Tooling at Scale
rocio
168
14k
Building an army of robots
kneath
302
42k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
Transcript
Security is not a feature! ! Security is not a
feature! - @ianaya89 1
! Nacho Anaya ! @ianaya89 • ! Principal Engineer https://
twitter.com/@BalloonPlatform • " Ambassador @Auth0 & @GitKraken • # Tech Speaker @MozTechSpeakers • $ Organizador @Vuenos_Aires Security is not a feature! - @ianaya89 2
!" Security is not a feature! - @ianaya89 3
"Hay dos tipos de empresas: aquellas que han sido hackeadas
y aquellas que todavía no saben que han sido hackeadas" John T. Chambers Security is not a feature! - @ianaya89 4
! Entender el problema Security is not a feature! -
@ianaya89 5
! Zoom Security is not a feature! - @ianaya89 6
Competencia Despareja ! ... Security is not a feature! -
@ianaya89 7
! 3.5 Billones Security is not a feature! - @ianaya89
8
Security is not a feature! - @ianaya89 9
! Perdida de Dinero Security is not a feature! -
@ianaya89 10
! Perdida de Confianza Security is not a feature! -
@ianaya89 11
! Cultura • ! Capacitación • " Politicas • ⏱
Tiempo • $ Dinero Security is not a feature! - @ianaya89 12
"Si gastas mas dinero en cafe que en Seguridad IT,
vas a ser hackeado. En realidad, te mereces ser hackeado" Richard A. Clarke Security is not a feature! - @ianaya89 13
! " Invertir! Security is not a feature! - @ianaya89
14
! Mirada Sistémica Security is not a feature! - @ianaya89
15
! Vulnerabilidades Security is not a feature! - @ianaya89 16
Heartbleed Security is not a feature! - @ianaya89 17
Security is not a feature! - @ianaya89 18
! TCP es complejo Security is not a feature! -
@ianaya89 19
HTTP/S - WebSockets - DNS - TCP - FTP -
IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature! - @ianaya89 20
! Los navegadores tambien Security is not a feature! -
@ianaya89 21
HTML - CSS - JS Security is not a feature!
- @ianaya89 22
DOM - Geolocation - Multimedia - Fetch - Web Sockets
- Storage Security is not a feature! - @ianaya89 23
! Entender la Solución Security is not a feature! -
@ianaya89 24
! No hay solución perfecta Security is not a feature!
- @ianaya89 25
! Pero podemos prepararnos Security is not a feature! -
@ianaya89 26
! Seguridad no es "nice to have" Security is not
a feature! - @ianaya89 27
! Seguridad por defecto Security is not a feature! -
@ianaya89 28
! Siempre, pero siempre... Asumamos lo peor Security is not
a feature! - @ianaya89 29
! Conocer tu Aplicación. Security is not a feature! -
@ianaya89 30
! Vectores de Entrada Security is not a feature! -
@ianaya89 31
Query String - URL Path - Request Body - Cookies
- Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Security is not a feature! - @ianaya89 32
⚠ No confiar en los usuarios Security is not a
feature! - @ianaya89 33
✅ Checklist de Seguridad Security is not a feature! -
@ianaya89 34
! Security is not a feature! - @ianaya89 35
! HTTPS ! 2020 Security is not a feature! -
@ianaya89 36
Security is not a feature! - @ianaya89 37
⬇ Actualizar Versiones • Node.js (12.18.0 LTS) • npm (6.14.4)
• express (4.17.1) Security is not a feature! - @ianaya89 38
! Actualizar Dependencias • npm audit • dependant-bot • Snyk
Security is not a feature! - @ianaya89 39
! Linter eslint-plugin-security Security is not a feature! - @ianaya89
40
! SQL / No-SQL Injection Security is not a feature!
- @ianaya89 41
! ✅ SQL / No-SQL Injection • Validar inputs en
el SERVER • Sanitizar queries • Usar ORM / ODM Security is not a feature! - @ianaya89 42
! " SQL / No-SQL Injection • mongoose • sequelize
Security is not a feature! - @ianaya89 43
! XSS Security is not a feature! - @ianaya89 44
Security is not a feature! - @ianaya89 45
!✅ XSS • Validar inputs en el SERVER • "Encodear"
output (HTML) • Secure Response Headers Security is not a feature! - @ianaya89 46
! " XSS Headers - HSTS - HPKP - X-Frame-Options
- X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy Secure Headers Security is not a feature! - @ianaya89 47
!" XSS • @hapi/joi • express-validator • helmet • csurf
(CSRF) Security is not a feature! - @ianaya89 48
! DoS Security is not a feature! - @ianaya89 49
! ✅ DoS • Rate limiting • Manejo de errores
• "Crasheos" explícitos • Validacion de Regex • Bloqueo de Usuarios / IP Security is not a feature! - @ianaya89 50
! " DoS • express-rate-limit (basico) • node-rate-limiter-flexible (avanzado) •
try/cath - catch() - if (err) • safe-regex Security is not a feature! - @ianaya89 51
! Sesiones & Tokens Security is not a feature! -
@ianaya89 52
! ✅ Sesiones & Tokens • No exponer • Expirar
• Blacklist o WhiteList • OAUTH - OpenID Security is not a feature! - @ianaya89 53
! " Sesiones & Tokens • jsonwebtoken • passport •
Auth0 - Okta - Firebase Security is not a feature! - @ianaya89 54
! Passwords Security is not a feature! - @ianaya89 55
Time to crack Security is not a feature! - @ianaya89
56
! ✅ Passwords • hash + salt (no usar crypto)
• Contraseñas fuertes (entropia) • MFA Security is not a feature! - @ianaya89 57
! " Passwords • bcrypt • speakeasy • Auth0 -
Okta - Firebase • Twilio Security is not a feature! - @ianaya89 58
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature! - @ianaya89 59
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature! - @ianaya89 60
! " Have I been pawned? API & DB Security
is not a feature! - @ianaya89 61
! Dev Passwords & Secrets • CI • Dev Tools
• Cloud • Keys - Tokens - Secrets Security is not a feature! - @ianaya89 62
! ✅ Dev Passwords & Secrets • 1Password • Blackbox
• GPG • Secret Manager (AWS) • MFA ⚠ Security is not a feature! - @ianaya89 63
! Cookies Security is not a feature! - @ianaya89 64
! " Cookies Flags • httpOnly • secure • SameSite
Security is not a feature! - @ianaya89 65
! ↩ Cookies Scoping • domain • path • expires
Security is not a feature! - @ianaya89 66
! Logging & Monitoring Security is not a feature! -
@ianaya89 67
! " Logging & Monitoring • winston • express-status-monitor Security
is not a feature! - @ianaya89 68
! " Logging & Monitoring • datadog & new relic
(monitoreo) • sentry & bugsnag (errores) • papertrail & loggly (logs) • pingdom & checkly (status) Security is not a feature! - @ianaya89 69
! Exponer Información Sensible Security is not a feature! -
@ianaya89 70
Security is not a feature! - @ianaya89 71
! ✅ Exponer Información Sensible Simplemente no! Security is not
a feature! - @ianaya89 72
Security is not a feature! - @ianaya89 73
! OWASP Top 10 owasp.org Security is not a feature!
- @ianaya89 74
! Recursos • owasp.org • WebGoat • Web Security Basics
• MIT Computer Systems Security • The Node.js best practices list • Web Application Security Security is not a feature! - @ianaya89 75
! Take Away Security is not a feature! - @ianaya89
76
Security is not a feature! - @ianaya89 77
✌ Crear una cultura de seguridad Security is not a
feature! - @ianaya89 78
! Security is not a feature! - @ianaya89 79
! Gracias! ! Preguntas? ! @ianaya89 Security is not a
feature! - @ianaya89 80