Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security is not a feature!
Search
Ignacio Anaya
June 13, 2020
Technology
1
330
Security is not a feature!
Ignacio Anaya
June 13, 2020
Tweet
Share
More Decks by Ignacio Anaya
See All by Ignacio Anaya
Security is not a feature‼️
ianaya89
2
460
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
130
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
110
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
260
Vue.js, PWA & The Subway Dilemma
ianaya89
0
170
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
120
hey-devs-time-to-care-about-web-apps-security.pdf
ianaya89
0
96
A Token Walks into SPA
ianaya89
0
550
Other Decks in Technology
See All in Technology
Classmethod AI Talks(CATs) #17 司会進行スライド(2025.02.19) / classmethod-ai-talks-aka-cats_moderator-slides_vol17_2025-02-19
shinyaa31
0
160
2025-02-21 ゆるSRE勉強会 Enhancing SRE Using AI
yoshiiryo1
1
420
Autonomous Database Serverless 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
17
45k
ソフトウェアエンジニアと仕事するときに知っておいたほうが良いこと / Key points for working with software engineers
pinkumohikan
1
130
(機械学習システムでも) SLO から始める信頼性構築 - ゆる SRE#9 2025/02/21
daigo0927
0
200
次世代KYC活動報告 / 20250219-BizDay17-KYC-nextgen
oidfj
0
360
エンジニアの育成を支える爆速フィードバック文化
sansantech
PRO
3
1.1k
N=1から解き明かすAWS ソリューションアーキテクトの魅力
kiiwami
0
140
RSNA2024振り返り
nanachi
0
620
PHPカンファレンス名古屋-テックリードの経験から学んだ設計の教訓
hayatokudou
2
510
「海外登壇」という 選択肢を与えるために 〜Gophers EX
logica0419
0
900
2024.02.19 W&B AIエージェントLT会 / AIエージェントが業務を代行するための計画と実行 / Algomatic 宮脇
smiyawaki0820
15
4.1k
Featured
See All Featured
Building a Modern Day E-commerce SEO Strategy
aleyda
38
7.1k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.3k
The Cost Of JavaScript in 2023
addyosmani
47
7.3k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Raft: Consensus for Rubyists
vanstee
137
6.8k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
630
GitHub's CSS Performance
jonrohan
1030
460k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
The Pragmatic Product Professional
lauravandoore
32
6.4k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Transcript
Security is not a feature! ! Security is not a
feature! - @ianaya89 1
! Nacho Anaya ! @ianaya89 • ! Principal Engineer https://
twitter.com/@BalloonPlatform • " Ambassador @Auth0 & @GitKraken • # Tech Speaker @MozTechSpeakers • $ Organizador @Vuenos_Aires Security is not a feature! - @ianaya89 2
!" Security is not a feature! - @ianaya89 3
"Hay dos tipos de empresas: aquellas que han sido hackeadas
y aquellas que todavía no saben que han sido hackeadas" John T. Chambers Security is not a feature! - @ianaya89 4
! Entender el problema Security is not a feature! -
@ianaya89 5
! Zoom Security is not a feature! - @ianaya89 6
Competencia Despareja ! ... Security is not a feature! -
@ianaya89 7
! 3.5 Billones Security is not a feature! - @ianaya89
8
Security is not a feature! - @ianaya89 9
! Perdida de Dinero Security is not a feature! -
@ianaya89 10
! Perdida de Confianza Security is not a feature! -
@ianaya89 11
! Cultura • ! Capacitación • " Politicas • ⏱
Tiempo • $ Dinero Security is not a feature! - @ianaya89 12
"Si gastas mas dinero en cafe que en Seguridad IT,
vas a ser hackeado. En realidad, te mereces ser hackeado" Richard A. Clarke Security is not a feature! - @ianaya89 13
! " Invertir! Security is not a feature! - @ianaya89
14
! Mirada Sistémica Security is not a feature! - @ianaya89
15
! Vulnerabilidades Security is not a feature! - @ianaya89 16
Heartbleed Security is not a feature! - @ianaya89 17
Security is not a feature! - @ianaya89 18
! TCP es complejo Security is not a feature! -
@ianaya89 19
HTTP/S - WebSockets - DNS - TCP - FTP -
IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature! - @ianaya89 20
! Los navegadores tambien Security is not a feature! -
@ianaya89 21
HTML - CSS - JS Security is not a feature!
- @ianaya89 22
DOM - Geolocation - Multimedia - Fetch - Web Sockets
- Storage Security is not a feature! - @ianaya89 23
! Entender la Solución Security is not a feature! -
@ianaya89 24
! No hay solución perfecta Security is not a feature!
- @ianaya89 25
! Pero podemos prepararnos Security is not a feature! -
@ianaya89 26
! Seguridad no es "nice to have" Security is not
a feature! - @ianaya89 27
! Seguridad por defecto Security is not a feature! -
@ianaya89 28
! Siempre, pero siempre... Asumamos lo peor Security is not
a feature! - @ianaya89 29
! Conocer tu Aplicación. Security is not a feature! -
@ianaya89 30
! Vectores de Entrada Security is not a feature! -
@ianaya89 31
Query String - URL Path - Request Body - Cookies
- Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Security is not a feature! - @ianaya89 32
⚠ No confiar en los usuarios Security is not a
feature! - @ianaya89 33
✅ Checklist de Seguridad Security is not a feature! -
@ianaya89 34
! Security is not a feature! - @ianaya89 35
! HTTPS ! 2020 Security is not a feature! -
@ianaya89 36
Security is not a feature! - @ianaya89 37
⬇ Actualizar Versiones • Node.js (12.18.0 LTS) • npm (6.14.4)
• express (4.17.1) Security is not a feature! - @ianaya89 38
! Actualizar Dependencias • npm audit • dependant-bot • Snyk
Security is not a feature! - @ianaya89 39
! Linter eslint-plugin-security Security is not a feature! - @ianaya89
40
! SQL / No-SQL Injection Security is not a feature!
- @ianaya89 41
! ✅ SQL / No-SQL Injection • Validar inputs en
el SERVER • Sanitizar queries • Usar ORM / ODM Security is not a feature! - @ianaya89 42
! " SQL / No-SQL Injection • mongoose • sequelize
Security is not a feature! - @ianaya89 43
! XSS Security is not a feature! - @ianaya89 44
Security is not a feature! - @ianaya89 45
!✅ XSS • Validar inputs en el SERVER • "Encodear"
output (HTML) • Secure Response Headers Security is not a feature! - @ianaya89 46
! " XSS Headers - HSTS - HPKP - X-Frame-Options
- X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy Secure Headers Security is not a feature! - @ianaya89 47
!" XSS • @hapi/joi • express-validator • helmet • csurf
(CSRF) Security is not a feature! - @ianaya89 48
! DoS Security is not a feature! - @ianaya89 49
! ✅ DoS • Rate limiting • Manejo de errores
• "Crasheos" explícitos • Validacion de Regex • Bloqueo de Usuarios / IP Security is not a feature! - @ianaya89 50
! " DoS • express-rate-limit (basico) • node-rate-limiter-flexible (avanzado) •
try/cath - catch() - if (err) • safe-regex Security is not a feature! - @ianaya89 51
! Sesiones & Tokens Security is not a feature! -
@ianaya89 52
! ✅ Sesiones & Tokens • No exponer • Expirar
• Blacklist o WhiteList • OAUTH - OpenID Security is not a feature! - @ianaya89 53
! " Sesiones & Tokens • jsonwebtoken • passport •
Auth0 - Okta - Firebase Security is not a feature! - @ianaya89 54
! Passwords Security is not a feature! - @ianaya89 55
Time to crack Security is not a feature! - @ianaya89
56
! ✅ Passwords • hash + salt (no usar crypto)
• Contraseñas fuertes (entropia) • MFA Security is not a feature! - @ianaya89 57
! " Passwords • bcrypt • speakeasy • Auth0 -
Okta - Firebase • Twilio Security is not a feature! - @ianaya89 58
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature! - @ianaya89 59
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature! - @ianaya89 60
! " Have I been pawned? API & DB Security
is not a feature! - @ianaya89 61
! Dev Passwords & Secrets • CI • Dev Tools
• Cloud • Keys - Tokens - Secrets Security is not a feature! - @ianaya89 62
! ✅ Dev Passwords & Secrets • 1Password • Blackbox
• GPG • Secret Manager (AWS) • MFA ⚠ Security is not a feature! - @ianaya89 63
! Cookies Security is not a feature! - @ianaya89 64
! " Cookies Flags • httpOnly • secure • SameSite
Security is not a feature! - @ianaya89 65
! ↩ Cookies Scoping • domain • path • expires
Security is not a feature! - @ianaya89 66
! Logging & Monitoring Security is not a feature! -
@ianaya89 67
! " Logging & Monitoring • winston • express-status-monitor Security
is not a feature! - @ianaya89 68
! " Logging & Monitoring • datadog & new relic
(monitoreo) • sentry & bugsnag (errores) • papertrail & loggly (logs) • pingdom & checkly (status) Security is not a feature! - @ianaya89 69
! Exponer Información Sensible Security is not a feature! -
@ianaya89 70
Security is not a feature! - @ianaya89 71
! ✅ Exponer Información Sensible Simplemente no! Security is not
a feature! - @ianaya89 72
Security is not a feature! - @ianaya89 73
! OWASP Top 10 owasp.org Security is not a feature!
- @ianaya89 74
! Recursos • owasp.org • WebGoat • Web Security Basics
• MIT Computer Systems Security • The Node.js best practices list • Web Application Security Security is not a feature! - @ianaya89 75
! Take Away Security is not a feature! - @ianaya89
76
Security is not a feature! - @ianaya89 77
✌ Crear una cultura de seguridad Security is not a
feature! - @ianaya89 78
! Security is not a feature! - @ianaya89 79
! Gracias! ! Preguntas? ! @ianaya89 Security is not a
feature! - @ianaya89 80