Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security is not a feature!
Search
Ignacio Anaya
June 13, 2020
Technology
400
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Security is not a feature!
Ignacio Anaya
June 13, 2020
More Decks by Ignacio Anaya
See All by Ignacio Anaya
Security is not a feature‼️
ianaya89
2
540
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
170
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
150
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
310
Vue.js, PWA & The Subway Dilemma
ianaya89
0
230
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
170
hey-devs-time-to-care-about-web-apps-security.pdf
ianaya89
0
140
A Token Walks into SPA
ianaya89
0
640
Other Decks in Technology
See All in Technology
プロンプト_きのこカンファレンス2026_LT
yurufuwahealer
0
150
Terraform共通モジュールをチーム横断で“変えられる”運用へ ― リリースと適用の分離
kekke_n
1
2.3k
Mastraエージェント、どのクラウドにデプロイする?
minorun365
PRO
2
180
クラウド上のデータ復旧で見落としがちな制約: 医療系 SaaS の BCP 設計から得た教訓
kakehashi
PRO
0
3k
完全自律ロボットを作りたくて、先に開発を自律させた話(ROS Japan UG #63 LT)
rryz09
0
440
プロダクトだけじゃない、社内プロセスにおける自動化・省力化ノススメ
kakehashi
PRO
1
3.2k
End-to-Endで考える信頼性 —LINEアプリにおけるクライアント開発×SRE連携の実践
maruloop
4
3.6k
テスト設計の本質を改めて考えてみる~生成AIを活用する時代だからこそ、作ったテストの説明性を高めよう~
yamasaki696
1
410
NDIAS CTF 2026 問題解説会資料
bata_24
0
180
生成AI活用によるODC欠陥分析の分類高速化の実践と導入効果 / 20260703 Suguru Ishii
shift_evolve
PRO
2
120
SRE依存からの脱却 運用を開 発チームへ移す、 フルサイ クル開 発体制の実践
joooee0000
0
2.3k
キャリアの中で本を作る / Making a Book During Your Career
ak1210
0
130
Featured
See All Featured
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.8k
Build your cross-platform service in a week with App Engine
jlugia
234
18k
Avoiding the “Bad Training, Faster” Trap in the Age of AI
tmiket
0
190
Become a Pro
speakerdeck
PRO
31
6k
[RailsConf 2023] Rails as a piece of cake
palkan
59
6.7k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
360
30k
How STYLIGHT went responsive
nonsquared
100
6.2k
SERP Conf. Vienna - Web Accessibility: Optimizing for Inclusivity and SEO
sarafernandez
2
1.5k
HTML-Aware ERB: The Path to Reactive Rendering @ RubyCon 2026, Rimini, Italy
marcoroth
2
320
What the history of the web can teach us about the future of AI
inesmontani
PRO
1
630
Redefining SEO in the New Era of Traffic Generation
szymonslowik
1
360
Digital Ethics as a Driver of Design Innovation
axbom
PRO
1
340
Transcript
Security is not a feature! ! Security is not a
feature! - @ianaya89 1
! Nacho Anaya ! @ianaya89 • ! Principal Engineer https://
twitter.com/@BalloonPlatform • " Ambassador @Auth0 & @GitKraken • # Tech Speaker @MozTechSpeakers • $ Organizador @Vuenos_Aires Security is not a feature! - @ianaya89 2
!" Security is not a feature! - @ianaya89 3
"Hay dos tipos de empresas: aquellas que han sido hackeadas
y aquellas que todavía no saben que han sido hackeadas" John T. Chambers Security is not a feature! - @ianaya89 4
! Entender el problema Security is not a feature! -
@ianaya89 5
! Zoom Security is not a feature! - @ianaya89 6
Competencia Despareja ! ... Security is not a feature! -
@ianaya89 7
! 3.5 Billones Security is not a feature! - @ianaya89
8
Security is not a feature! - @ianaya89 9
! Perdida de Dinero Security is not a feature! -
@ianaya89 10
! Perdida de Confianza Security is not a feature! -
@ianaya89 11
! Cultura • ! Capacitación • " Politicas • ⏱
Tiempo • $ Dinero Security is not a feature! - @ianaya89 12
"Si gastas mas dinero en cafe que en Seguridad IT,
vas a ser hackeado. En realidad, te mereces ser hackeado" Richard A. Clarke Security is not a feature! - @ianaya89 13
! " Invertir! Security is not a feature! - @ianaya89
14
! Mirada Sistémica Security is not a feature! - @ianaya89
15
! Vulnerabilidades Security is not a feature! - @ianaya89 16
Heartbleed Security is not a feature! - @ianaya89 17
Security is not a feature! - @ianaya89 18
! TCP es complejo Security is not a feature! -
@ianaya89 19
HTTP/S - WebSockets - DNS - TCP - FTP -
IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature! - @ianaya89 20
! Los navegadores tambien Security is not a feature! -
@ianaya89 21
HTML - CSS - JS Security is not a feature!
- @ianaya89 22
DOM - Geolocation - Multimedia - Fetch - Web Sockets
- Storage Security is not a feature! - @ianaya89 23
! Entender la Solución Security is not a feature! -
@ianaya89 24
! No hay solución perfecta Security is not a feature!
- @ianaya89 25
! Pero podemos prepararnos Security is not a feature! -
@ianaya89 26
! Seguridad no es "nice to have" Security is not
a feature! - @ianaya89 27
! Seguridad por defecto Security is not a feature! -
@ianaya89 28
! Siempre, pero siempre... Asumamos lo peor Security is not
a feature! - @ianaya89 29
! Conocer tu Aplicación. Security is not a feature! -
@ianaya89 30
! Vectores de Entrada Security is not a feature! -
@ianaya89 31
Query String - URL Path - Request Body - Cookies
- Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Security is not a feature! - @ianaya89 32
⚠ No confiar en los usuarios Security is not a
feature! - @ianaya89 33
✅ Checklist de Seguridad Security is not a feature! -
@ianaya89 34
! Security is not a feature! - @ianaya89 35
! HTTPS ! 2020 Security is not a feature! -
@ianaya89 36
Security is not a feature! - @ianaya89 37
⬇ Actualizar Versiones • Node.js (12.18.0 LTS) • npm (6.14.4)
• express (4.17.1) Security is not a feature! - @ianaya89 38
! Actualizar Dependencias • npm audit • dependant-bot • Snyk
Security is not a feature! - @ianaya89 39
! Linter eslint-plugin-security Security is not a feature! - @ianaya89
40
! SQL / No-SQL Injection Security is not a feature!
- @ianaya89 41
! ✅ SQL / No-SQL Injection • Validar inputs en
el SERVER • Sanitizar queries • Usar ORM / ODM Security is not a feature! - @ianaya89 42
! " SQL / No-SQL Injection • mongoose • sequelize
Security is not a feature! - @ianaya89 43
! XSS Security is not a feature! - @ianaya89 44
Security is not a feature! - @ianaya89 45
!✅ XSS • Validar inputs en el SERVER • "Encodear"
output (HTML) • Secure Response Headers Security is not a feature! - @ianaya89 46
! " XSS Headers - HSTS - HPKP - X-Frame-Options
- X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy Secure Headers Security is not a feature! - @ianaya89 47
!" XSS • @hapi/joi • express-validator • helmet • csurf
(CSRF) Security is not a feature! - @ianaya89 48
! DoS Security is not a feature! - @ianaya89 49
! ✅ DoS • Rate limiting • Manejo de errores
• "Crasheos" explícitos • Validacion de Regex • Bloqueo de Usuarios / IP Security is not a feature! - @ianaya89 50
! " DoS • express-rate-limit (basico) • node-rate-limiter-flexible (avanzado) •
try/cath - catch() - if (err) • safe-regex Security is not a feature! - @ianaya89 51
! Sesiones & Tokens Security is not a feature! -
@ianaya89 52
! ✅ Sesiones & Tokens • No exponer • Expirar
• Blacklist o WhiteList • OAUTH - OpenID Security is not a feature! - @ianaya89 53
! " Sesiones & Tokens • jsonwebtoken • passport •
Auth0 - Okta - Firebase Security is not a feature! - @ianaya89 54
! Passwords Security is not a feature! - @ianaya89 55
Time to crack Security is not a feature! - @ianaya89
56
! ✅ Passwords • hash + salt (no usar crypto)
• Contraseñas fuertes (entropia) • MFA Security is not a feature! - @ianaya89 57
! " Passwords • bcrypt • speakeasy • Auth0 -
Okta - Firebase • Twilio Security is not a feature! - @ianaya89 58
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature! - @ianaya89 59
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature! - @ianaya89 60
! " Have I been pawned? API & DB Security
is not a feature! - @ianaya89 61
! Dev Passwords & Secrets • CI • Dev Tools
• Cloud • Keys - Tokens - Secrets Security is not a feature! - @ianaya89 62
! ✅ Dev Passwords & Secrets • 1Password • Blackbox
• GPG • Secret Manager (AWS) • MFA ⚠ Security is not a feature! - @ianaya89 63
! Cookies Security is not a feature! - @ianaya89 64
! " Cookies Flags • httpOnly • secure • SameSite
Security is not a feature! - @ianaya89 65
! ↩ Cookies Scoping • domain • path • expires
Security is not a feature! - @ianaya89 66
! Logging & Monitoring Security is not a feature! -
@ianaya89 67
! " Logging & Monitoring • winston • express-status-monitor Security
is not a feature! - @ianaya89 68
! " Logging & Monitoring • datadog & new relic
(monitoreo) • sentry & bugsnag (errores) • papertrail & loggly (logs) • pingdom & checkly (status) Security is not a feature! - @ianaya89 69
! Exponer Información Sensible Security is not a feature! -
@ianaya89 70
Security is not a feature! - @ianaya89 71
! ✅ Exponer Información Sensible Simplemente no! Security is not
a feature! - @ianaya89 72
Security is not a feature! - @ianaya89 73
! OWASP Top 10 owasp.org Security is not a feature!
- @ianaya89 74
! Recursos • owasp.org • WebGoat • Web Security Basics
• MIT Computer Systems Security • The Node.js best practices list • Web Application Security Security is not a feature! - @ianaya89 75
! Take Away Security is not a feature! - @ianaya89
76
Security is not a feature! - @ianaya89 77
✌ Crear una cultura de seguridad Security is not a
feature! - @ianaya89 78
! Security is not a feature! - @ianaya89 79
! Gracias! ! Preguntas? ! @ianaya89 Security is not a
feature! - @ianaya89 80