Security is not a feature!

Transcript

1. Security is not a feature! ! Security is not a

   feature! - @ianaya89 1

2. ! Nacho Anaya ! @ianaya89 • ! Principal Engineer https://

   twitter.com/@BalloonPlatform • " Ambassador @Auth0 & @GitKraken • # Tech Speaker @MozTechSpeakers • $ Organizador @Vuenos_Aires Security is not a feature! - @ianaya89 2

3. !" Security is not a feature! - @ianaya89 3

4. "Hay dos tipos de empresas: aquellas que han sido hackeadas

   y aquellas que todavía no saben que han sido hackeadas" John T. Chambers Security is not a feature! - @ianaya89 4

5. ! Entender el problema Security is not a feature! -

   @ianaya89 5

6. ! Zoom Security is not a feature! - @ianaya89 6

7. Competencia Despareja ! ... Security is not a feature! -

   @ianaya89 7

8. ! 3.5 Billones Security is not a feature! - @ianaya89

   8

9. Security is not a feature! - @ianaya89 9

10. ! Perdida de Dinero Security is not a feature! -

    @ianaya89 10

11. ! Perdida de Confianza Security is not a feature! -

    @ianaya89 11

12. ! Cultura • ! Capacitación • " Politicas • ⏱

    Tiempo • $ Dinero Security is not a feature! - @ianaya89 12

13. "Si gastas mas dinero en cafe que en Seguridad IT,

    vas a ser hackeado. En realidad, te mereces ser hackeado" Richard A. Clarke Security is not a feature! - @ianaya89 13

14. ! " Invertir! Security is not a feature! - @ianaya89

    14

15. ! Mirada Sistémica Security is not a feature! - @ianaya89

    15

16. ! Vulnerabilidades Security is not a feature! - @ianaya89 16

17. Heartbleed Security is not a feature! - @ianaya89 17

18. Security is not a feature! - @ianaya89 18

19. ! TCP es complejo Security is not a feature! -

    @ianaya89 19

20. HTTP/S - WebSockets - DNS - TCP - FTP -

    IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature! - @ianaya89 20

21. ! Los navegadores tambien Security is not a feature! -

    @ianaya89 21

22. HTML - CSS - JS Security is not a feature!

    - @ianaya89 22

23. DOM - Geolocation - Multimedia - Fetch - Web Sockets

    - Storage Security is not a feature! - @ianaya89 23

24. ! Entender la Solución Security is not a feature! -

    @ianaya89 24

25. ! No hay solución perfecta Security is not a feature!

    - @ianaya89 25

26. ! Pero podemos prepararnos Security is not a feature! -

    @ianaya89 26

27. ! Seguridad no es "nice to have" Security is not

    a feature! - @ianaya89 27

28. ! Seguridad por defecto Security is not a feature! -

    @ianaya89 28

29. ! Siempre, pero siempre... Asumamos lo peor Security is not

    a feature! - @ianaya89 29

30. ! Conocer tu Aplicación. Security is not a feature! -

    @ianaya89 30

31. ! Vectores de Entrada Security is not a feature! -

    @ianaya89 31

32. Query String - URL Path - Request Body - Cookies

    - Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Security is not a feature! - @ianaya89 32

33. ⚠ No confiar en los usuarios Security is not a

    feature! - @ianaya89 33

34. ✅ Checklist de Seguridad Security is not a feature! -

    @ianaya89 34

35. ! Security is not a feature! - @ianaya89 35

36. ! HTTPS ! 2020 Security is not a feature! -

    @ianaya89 36

37. Security is not a feature! - @ianaya89 37

38. ⬇ Actualizar Versiones • Node.js (12.18.0 LTS) • npm (6.14.4)

    • express (4.17.1) Security is not a feature! - @ianaya89 38

39. ! Actualizar Dependencias • npm audit • dependant-bot • Snyk

    Security is not a feature! - @ianaya89 39

40. ! Linter eslint-plugin-security Security is not a feature! - @ianaya89

    40

41. ! SQL / No-SQL Injection Security is not a feature!

    - @ianaya89 41

42. ! ✅ SQL / No-SQL Injection • Validar inputs en

    el SERVER • Sanitizar queries • Usar ORM / ODM Security is not a feature! - @ianaya89 42

43. ! " SQL / No-SQL Injection • mongoose • sequelize

    Security is not a feature! - @ianaya89 43

44. ! XSS Security is not a feature! - @ianaya89 44

45. Security is not a feature! - @ianaya89 45

46. !✅ XSS • Validar inputs en el SERVER • "Encodear"

    output (HTML) • Secure Response Headers Security is not a feature! - @ianaya89 46

47. ! " XSS Headers - HSTS - HPKP - X-Frame-Options

    - X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy Secure Headers Security is not a feature! - @ianaya89 47

48. !" XSS • @hapi/joi • express-validator • helmet • csurf

    (CSRF) Security is not a feature! - @ianaya89 48

49. ! DoS Security is not a feature! - @ianaya89 49

50. ! ✅ DoS • Rate limiting • Manejo de errores

    • "Crasheos" explícitos • Validacion de Regex • Bloqueo de Usuarios / IP Security is not a feature! - @ianaya89 50

51. ! " DoS • express-rate-limit (basico) • node-rate-limiter-flexible (avanzado) •

    try/cath - catch() - if (err) • safe-regex Security is not a feature! - @ianaya89 51

52. ! Sesiones & Tokens Security is not a feature! -

    @ianaya89 52

53. ! ✅ Sesiones & Tokens • No exponer • Expirar

    • Blacklist o WhiteList • OAUTH - OpenID Security is not a feature! - @ianaya89 53

54. ! " Sesiones & Tokens • jsonwebtoken • passport •

    Auth0 - Okta - Firebase Security is not a feature! - @ianaya89 54

55. ! Passwords Security is not a feature! - @ianaya89 55

56. Time to crack Security is not a feature! - @ianaya89

    56

57. ! ✅ Passwords • hash + salt (no usar crypto)

    • Contraseñas fuertes (entropia) • MFA Security is not a feature! - @ianaya89 57

58. ! " Passwords • bcrypt • speakeasy • Auth0 -

    Okta - Firebase • Twilio Security is not a feature! - @ianaya89 58

59. ! " Have I been pawned? https://haveibeenpwned.com Security is not

    a feature! - @ianaya89 59

60. ! " Have I been pawned? https://haveibeenpwned.com Security is not

    a feature! - @ianaya89 60

61. ! " Have I been pawned? API & DB Security

    is not a feature! - @ianaya89 61

62. ! Dev Passwords & Secrets • CI • Dev Tools

    • Cloud • Keys - Tokens - Secrets Security is not a feature! - @ianaya89 62

63. ! ✅ Dev Passwords & Secrets • 1Password • Blackbox

    • GPG • Secret Manager (AWS) • MFA ⚠ Security is not a feature! - @ianaya89 63

64. ! Cookies Security is not a feature! - @ianaya89 64

65. ! " Cookies Flags • httpOnly • secure • SameSite

    Security is not a feature! - @ianaya89 65

66. ! ↩ Cookies Scoping • domain • path • expires

    Security is not a feature! - @ianaya89 66

67. ! Logging & Monitoring Security is not a feature! -

    @ianaya89 67

68. ! " Logging & Monitoring • winston • express-status-monitor Security

    is not a feature! - @ianaya89 68

69. ! " Logging & Monitoring • datadog & new relic

    (monitoreo) • sentry & bugsnag (errores) • papertrail & loggly (logs) • pingdom & checkly (status) Security is not a feature! - @ianaya89 69

70. ! Exponer Información Sensible Security is not a feature! -

    @ianaya89 70

71. Security is not a feature! - @ianaya89 71

72. ! ✅ Exponer Información Sensible Simplemente no! Security is not

    a feature! - @ianaya89 72

73. Security is not a feature! - @ianaya89 73

74. ! OWASP Top 10 owasp.org Security is not a feature!

    - @ianaya89 74

75. ! Recursos • owasp.org • WebGoat • Web Security Basics

    • MIT Computer Systems Security • The Node.js best practices list • Web Application Security Security is not a feature! - @ianaya89 75

76. ! Take Away Security is not a feature! - @ianaya89

    76

77. Security is not a feature! - @ianaya89 77

78. ✌ Crear una cultura de seguridad Security is not a

    feature! - @ianaya89 78

79. ! Security is not a feature! - @ianaya89 79

80. ! Gracias! ! Preguntas? ! @ianaya89 Security is not a

    feature! - @ianaya89 80