Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security is not a feature!

Security is not a feature!

6c3e7ef20801b4b967dc1643f63d6233?s=128

Ignacio Anaya

June 13, 2020
Tweet

Transcript

  1. Security is not a feature! ! Security is not a

    feature! - @ianaya89 1
  2. ! Nacho Anaya ! @ianaya89 • ! Principal Engineer https://

    twitter.com/@BalloonPlatform • " Ambassador @Auth0 & @GitKraken • # Tech Speaker @MozTechSpeakers • $ Organizador @Vuenos_Aires Security is not a feature! - @ianaya89 2
  3. !" Security is not a feature! - @ianaya89 3

  4. "Hay dos tipos de empresas: aquellas que han sido hackeadas

    y aquellas que todavía no saben que han sido hackeadas" John T. Chambers Security is not a feature! - @ianaya89 4
  5. ! Entender el problema Security is not a feature! -

    @ianaya89 5
  6. ! Zoom Security is not a feature! - @ianaya89 6

  7. Competencia Despareja ! ... Security is not a feature! -

    @ianaya89 7
  8. ! 3.5 Billones Security is not a feature! - @ianaya89

    8
  9. Security is not a feature! - @ianaya89 9

  10. ! Perdida de Dinero Security is not a feature! -

    @ianaya89 10
  11. ! Perdida de Confianza Security is not a feature! -

    @ianaya89 11
  12. ! Cultura • ! Capacitación • " Politicas • ⏱

    Tiempo • $ Dinero Security is not a feature! - @ianaya89 12
  13. "Si gastas mas dinero en cafe que en Seguridad IT,

    vas a ser hackeado. En realidad, te mereces ser hackeado" Richard A. Clarke Security is not a feature! - @ianaya89 13
  14. ! " Invertir! Security is not a feature! - @ianaya89

    14
  15. ! Mirada Sistémica Security is not a feature! - @ianaya89

    15
  16. ! Vulnerabilidades Security is not a feature! - @ianaya89 16

  17. Heartbleed Security is not a feature! - @ianaya89 17

  18. Security is not a feature! - @ianaya89 18

  19. ! TCP es complejo Security is not a feature! -

    @ianaya89 19
  20. HTTP/S - WebSockets - DNS - TCP - FTP -

    IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature! - @ianaya89 20
  21. ! Los navegadores tambien Security is not a feature! -

    @ianaya89 21
  22. HTML - CSS - JS Security is not a feature!

    - @ianaya89 22
  23. DOM - Geolocation - Multimedia - Fetch - Web Sockets

    - Storage Security is not a feature! - @ianaya89 23
  24. ! Entender la Solución Security is not a feature! -

    @ianaya89 24
  25. ! No hay solución perfecta Security is not a feature!

    - @ianaya89 25
  26. ! Pero podemos prepararnos Security is not a feature! -

    @ianaya89 26
  27. ! Seguridad no es "nice to have" Security is not

    a feature! - @ianaya89 27
  28. ! Seguridad por defecto Security is not a feature! -

    @ianaya89 28
  29. ! Siempre, pero siempre... Asumamos lo peor Security is not

    a feature! - @ianaya89 29
  30. ! Conocer tu Aplicación. Security is not a feature! -

    @ianaya89 30
  31. ! Vectores de Entrada Security is not a feature! -

    @ianaya89 31
  32. Query String - URL Path - Request Body - Cookies

    - Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Security is not a feature! - @ianaya89 32
  33. ⚠ No confiar en los usuarios Security is not a

    feature! - @ianaya89 33
  34. ✅ Checklist de Seguridad Security is not a feature! -

    @ianaya89 34
  35. ! Security is not a feature! - @ianaya89 35

  36. ! HTTPS ! 2020 Security is not a feature! -

    @ianaya89 36
  37. Security is not a feature! - @ianaya89 37

  38. ⬇ Actualizar Versiones • Node.js (12.18.0 LTS) • npm (6.14.4)

    • express (4.17.1) Security is not a feature! - @ianaya89 38
  39. ! Actualizar Dependencias • npm audit • dependant-bot • Snyk

    Security is not a feature! - @ianaya89 39
  40. ! Linter eslint-plugin-security Security is not a feature! - @ianaya89

    40
  41. ! SQL / No-SQL Injection Security is not a feature!

    - @ianaya89 41
  42. ! ✅ SQL / No-SQL Injection • Validar inputs en

    el SERVER • Sanitizar queries • Usar ORM / ODM Security is not a feature! - @ianaya89 42
  43. ! " SQL / No-SQL Injection • mongoose • sequelize

    Security is not a feature! - @ianaya89 43
  44. ! XSS Security is not a feature! - @ianaya89 44

  45. Security is not a feature! - @ianaya89 45

  46. !✅ XSS • Validar inputs en el SERVER • "Encodear"

    output (HTML) • Secure Response Headers Security is not a feature! - @ianaya89 46
  47. ! " XSS Headers - HSTS - HPKP - X-Frame-Options

    - X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy Secure Headers Security is not a feature! - @ianaya89 47
  48. !" XSS • @hapi/joi • express-validator • helmet • csurf

    (CSRF) Security is not a feature! - @ianaya89 48
  49. ! DoS Security is not a feature! - @ianaya89 49

  50. ! ✅ DoS • Rate limiting • Manejo de errores

    • "Crasheos" explícitos • Validacion de Regex • Bloqueo de Usuarios / IP Security is not a feature! - @ianaya89 50
  51. ! " DoS • express-rate-limit (basico) • node-rate-limiter-flexible (avanzado) •

    try/cath - catch() - if (err) • safe-regex Security is not a feature! - @ianaya89 51
  52. ! Sesiones & Tokens Security is not a feature! -

    @ianaya89 52
  53. ! ✅ Sesiones & Tokens • No exponer • Expirar

    • Blacklist o WhiteList • OAUTH - OpenID Security is not a feature! - @ianaya89 53
  54. ! " Sesiones & Tokens • jsonwebtoken • passport •

    Auth0 - Okta - Firebase Security is not a feature! - @ianaya89 54
  55. ! Passwords Security is not a feature! - @ianaya89 55

  56. Time to crack Security is not a feature! - @ianaya89

    56
  57. ! ✅ Passwords • hash + salt (no usar crypto)

    • Contraseñas fuertes (entropia) • MFA Security is not a feature! - @ianaya89 57
  58. ! " Passwords • bcrypt • speakeasy • Auth0 -

    Okta - Firebase • Twilio Security is not a feature! - @ianaya89 58
  59. ! " Have I been pawned? https://haveibeenpwned.com Security is not

    a feature! - @ianaya89 59
  60. ! " Have I been pawned? https://haveibeenpwned.com Security is not

    a feature! - @ianaya89 60
  61. ! " Have I been pawned? API & DB Security

    is not a feature! - @ianaya89 61
  62. ! Dev Passwords & Secrets • CI • Dev Tools

    • Cloud • Keys - Tokens - Secrets Security is not a feature! - @ianaya89 62
  63. ! ✅ Dev Passwords & Secrets • 1Password • Blackbox

    • GPG • Secret Manager (AWS) • MFA ⚠ Security is not a feature! - @ianaya89 63
  64. ! Cookies Security is not a feature! - @ianaya89 64

  65. ! " Cookies Flags • httpOnly • secure • SameSite

    Security is not a feature! - @ianaya89 65
  66. ! ↩ Cookies Scoping • domain • path • expires

    Security is not a feature! - @ianaya89 66
  67. ! Logging & Monitoring Security is not a feature! -

    @ianaya89 67
  68. ! " Logging & Monitoring • winston • express-status-monitor Security

    is not a feature! - @ianaya89 68
  69. ! " Logging & Monitoring • datadog & new relic

    (monitoreo) • sentry & bugsnag (errores) • papertrail & loggly (logs) • pingdom & checkly (status) Security is not a feature! - @ianaya89 69
  70. ! Exponer Información Sensible Security is not a feature! -

    @ianaya89 70
  71. Security is not a feature! - @ianaya89 71

  72. ! ✅ Exponer Información Sensible Simplemente no! Security is not

    a feature! - @ianaya89 72
  73. Security is not a feature! - @ianaya89 73

  74. ! OWASP Top 10 owasp.org Security is not a feature!

    - @ianaya89 74
  75. ! Recursos • owasp.org • WebGoat • Web Security Basics

    • MIT Computer Systems Security • The Node.js best practices list • Web Application Security Security is not a feature! - @ianaya89 75
  76. ! Take Away Security is not a feature! - @ianaya89

    76
  77. Security is not a feature! - @ianaya89 77

  78. ✌ Crear una cultura de seguridad Security is not a

    feature! - @ianaya89 78
  79. ! Security is not a feature! - @ianaya89 79

  80. ! Gracias! ! Preguntas? ! @ianaya89 Security is not a

    feature! - @ianaya89 80