Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security is not a feature!
Search
Ignacio Anaya
June 13, 2020
Technology
1
360
Security is not a feature!
Ignacio Anaya
June 13, 2020
Tweet
Share
More Decks by Ignacio Anaya
See All by Ignacio Anaya
Security is not a feature‼️
ianaya89
2
500
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
140
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
130
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
290
Vue.js, PWA & The Subway Dilemma
ianaya89
0
200
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
140
hey-devs-time-to-care-about-web-apps-security.pdf
ianaya89
0
120
A Token Walks into SPA
ianaya89
0
590
Other Decks in Technology
See All in Technology
「タコピーの原罪」から学ぶ間違った”支援” / the bad support of Takopii
piyonakajima
0
110
OAuthからOIDCへ ― 認可の仕組みが認証に拡張されるまで
yamatai1212
0
160
Contract One Engineering Unit 紹介資料
sansan33
PRO
0
8.9k
AWS UG Grantでグローバル20名に選出されてre:Inventに行く話と、マルチクラウドセキュリティの教科書を執筆した話 / The Story of Being Selected for the AWS UG Grant to Attending re:Invent, and Writing a Multi-Cloud Security Textbook
yuj1osm
1
120
旅で応援する✈️ NEWTが目指すコミュニティ支援とあたらしい旅行 / New Travel: Supporting by NEWT on Your Journey
mii3king
0
140
Linux カーネルが支えるコンテナの仕組み / LF Japan Community Days 2025 Osaka
tenforward
1
110
あなたの知らない Linuxカーネル脆弱性の世界
recruitengineers
PRO
3
130
それでも私が品質保証プロセスを作り続ける理由 #テストラジオ / Why I still continue to create QA process
pineapplecandy
0
150
「魔法少女まどか☆マギカ Magia Exedra」の多様なバトルの開発を柔軟かつ効率的に実現するためのPure C#とUnityの分離について
gree_tech
PRO
0
240
Copilot Studio ハンズオン - 生成オーケストレーションモード
tomoyasasakimskk
0
190
エンタメとAIのための3Dパラレルワールド構築(GPU UNITE 2025 特別講演)
pfn
PRO
0
630
HonoとJSXを使って管理画面をサクッと型安全に作ろう
diggymo
0
160
Featured
See All Featured
How to train your dragon (web standard)
notwaldorf
97
6.3k
How To Stay Up To Date on Web Technology
chriscoyier
791
250k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
190
55k
Optimising Largest Contentful Paint
csswizardry
37
3.5k
Gamification - CAS2011
davidbonilla
81
5.5k
What’s in a name? Adding method to the madness
productmarketing
PRO
24
3.7k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
127
54k
Product Roadmaps are Hard
iamctodd
PRO
55
11k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
31
2.7k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
34
2.5k
Documentation Writing (for coders)
carmenintech
75
5.1k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.5k
Transcript
Security is not a feature! ! Security is not a
feature! - @ianaya89 1
! Nacho Anaya ! @ianaya89 • ! Principal Engineer https://
twitter.com/@BalloonPlatform • " Ambassador @Auth0 & @GitKraken • # Tech Speaker @MozTechSpeakers • $ Organizador @Vuenos_Aires Security is not a feature! - @ianaya89 2
!" Security is not a feature! - @ianaya89 3
"Hay dos tipos de empresas: aquellas que han sido hackeadas
y aquellas que todavía no saben que han sido hackeadas" John T. Chambers Security is not a feature! - @ianaya89 4
! Entender el problema Security is not a feature! -
@ianaya89 5
! Zoom Security is not a feature! - @ianaya89 6
Competencia Despareja ! ... Security is not a feature! -
@ianaya89 7
! 3.5 Billones Security is not a feature! - @ianaya89
8
Security is not a feature! - @ianaya89 9
! Perdida de Dinero Security is not a feature! -
@ianaya89 10
! Perdida de Confianza Security is not a feature! -
@ianaya89 11
! Cultura • ! Capacitación • " Politicas • ⏱
Tiempo • $ Dinero Security is not a feature! - @ianaya89 12
"Si gastas mas dinero en cafe que en Seguridad IT,
vas a ser hackeado. En realidad, te mereces ser hackeado" Richard A. Clarke Security is not a feature! - @ianaya89 13
! " Invertir! Security is not a feature! - @ianaya89
14
! Mirada Sistémica Security is not a feature! - @ianaya89
15
! Vulnerabilidades Security is not a feature! - @ianaya89 16
Heartbleed Security is not a feature! - @ianaya89 17
Security is not a feature! - @ianaya89 18
! TCP es complejo Security is not a feature! -
@ianaya89 19
HTTP/S - WebSockets - DNS - TCP - FTP -
IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature! - @ianaya89 20
! Los navegadores tambien Security is not a feature! -
@ianaya89 21
HTML - CSS - JS Security is not a feature!
- @ianaya89 22
DOM - Geolocation - Multimedia - Fetch - Web Sockets
- Storage Security is not a feature! - @ianaya89 23
! Entender la Solución Security is not a feature! -
@ianaya89 24
! No hay solución perfecta Security is not a feature!
- @ianaya89 25
! Pero podemos prepararnos Security is not a feature! -
@ianaya89 26
! Seguridad no es "nice to have" Security is not
a feature! - @ianaya89 27
! Seguridad por defecto Security is not a feature! -
@ianaya89 28
! Siempre, pero siempre... Asumamos lo peor Security is not
a feature! - @ianaya89 29
! Conocer tu Aplicación. Security is not a feature! -
@ianaya89 30
! Vectores de Entrada Security is not a feature! -
@ianaya89 31
Query String - URL Path - Request Body - Cookies
- Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Security is not a feature! - @ianaya89 32
⚠ No confiar en los usuarios Security is not a
feature! - @ianaya89 33
✅ Checklist de Seguridad Security is not a feature! -
@ianaya89 34
! Security is not a feature! - @ianaya89 35
! HTTPS ! 2020 Security is not a feature! -
@ianaya89 36
Security is not a feature! - @ianaya89 37
⬇ Actualizar Versiones • Node.js (12.18.0 LTS) • npm (6.14.4)
• express (4.17.1) Security is not a feature! - @ianaya89 38
! Actualizar Dependencias • npm audit • dependant-bot • Snyk
Security is not a feature! - @ianaya89 39
! Linter eslint-plugin-security Security is not a feature! - @ianaya89
40
! SQL / No-SQL Injection Security is not a feature!
- @ianaya89 41
! ✅ SQL / No-SQL Injection • Validar inputs en
el SERVER • Sanitizar queries • Usar ORM / ODM Security is not a feature! - @ianaya89 42
! " SQL / No-SQL Injection • mongoose • sequelize
Security is not a feature! - @ianaya89 43
! XSS Security is not a feature! - @ianaya89 44
Security is not a feature! - @ianaya89 45
!✅ XSS • Validar inputs en el SERVER • "Encodear"
output (HTML) • Secure Response Headers Security is not a feature! - @ianaya89 46
! " XSS Headers - HSTS - HPKP - X-Frame-Options
- X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy Secure Headers Security is not a feature! - @ianaya89 47
!" XSS • @hapi/joi • express-validator • helmet • csurf
(CSRF) Security is not a feature! - @ianaya89 48
! DoS Security is not a feature! - @ianaya89 49
! ✅ DoS • Rate limiting • Manejo de errores
• "Crasheos" explícitos • Validacion de Regex • Bloqueo de Usuarios / IP Security is not a feature! - @ianaya89 50
! " DoS • express-rate-limit (basico) • node-rate-limiter-flexible (avanzado) •
try/cath - catch() - if (err) • safe-regex Security is not a feature! - @ianaya89 51
! Sesiones & Tokens Security is not a feature! -
@ianaya89 52
! ✅ Sesiones & Tokens • No exponer • Expirar
• Blacklist o WhiteList • OAUTH - OpenID Security is not a feature! - @ianaya89 53
! " Sesiones & Tokens • jsonwebtoken • passport •
Auth0 - Okta - Firebase Security is not a feature! - @ianaya89 54
! Passwords Security is not a feature! - @ianaya89 55
Time to crack Security is not a feature! - @ianaya89
56
! ✅ Passwords • hash + salt (no usar crypto)
• Contraseñas fuertes (entropia) • MFA Security is not a feature! - @ianaya89 57
! " Passwords • bcrypt • speakeasy • Auth0 -
Okta - Firebase • Twilio Security is not a feature! - @ianaya89 58
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature! - @ianaya89 59
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature! - @ianaya89 60
! " Have I been pawned? API & DB Security
is not a feature! - @ianaya89 61
! Dev Passwords & Secrets • CI • Dev Tools
• Cloud • Keys - Tokens - Secrets Security is not a feature! - @ianaya89 62
! ✅ Dev Passwords & Secrets • 1Password • Blackbox
• GPG • Secret Manager (AWS) • MFA ⚠ Security is not a feature! - @ianaya89 63
! Cookies Security is not a feature! - @ianaya89 64
! " Cookies Flags • httpOnly • secure • SameSite
Security is not a feature! - @ianaya89 65
! ↩ Cookies Scoping • domain • path • expires
Security is not a feature! - @ianaya89 66
! Logging & Monitoring Security is not a feature! -
@ianaya89 67
! " Logging & Monitoring • winston • express-status-monitor Security
is not a feature! - @ianaya89 68
! " Logging & Monitoring • datadog & new relic
(monitoreo) • sentry & bugsnag (errores) • papertrail & loggly (logs) • pingdom & checkly (status) Security is not a feature! - @ianaya89 69
! Exponer Información Sensible Security is not a feature! -
@ianaya89 70
Security is not a feature! - @ianaya89 71
! ✅ Exponer Información Sensible Simplemente no! Security is not
a feature! - @ianaya89 72
Security is not a feature! - @ianaya89 73
! OWASP Top 10 owasp.org Security is not a feature!
- @ianaya89 74
! Recursos • owasp.org • WebGoat • Web Security Basics
• MIT Computer Systems Security • The Node.js best practices list • Web Application Security Security is not a feature! - @ianaya89 75
! Take Away Security is not a feature! - @ianaya89
76
Security is not a feature! - @ianaya89 77
✌ Crear una cultura de seguridad Security is not a
feature! - @ianaya89 78
! Security is not a feature! - @ianaya89 79
! Gracias! ! Preguntas? ! @ianaya89 Security is not a
feature! - @ianaya89 80