Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security is not a feature‼️

Security is not a feature‼️

JS World 2021

6c3e7ef20801b4b967dc1643f63d6233?s=128

Ignacio Anaya

February 27, 2021
Tweet

Transcript

  1. Security is not a feature !" Security is not a

    feature ‼ - @ianaya89 1
  2. ! Nacho Anaya ! @ianaya89 • ! Lead OSS Engineer

    @ChecklyHQ • " Ambassador @Auth0 • # Streaming @ianaya89 Security is not a feature ‼ - @ianaya89 2
  3. ! Security is not a feature ‼ - @ianaya89 3

  4. !" Security is not a feature ‼ - @ianaya89 4

  5. "There are two types of companies: those that have been

    hacked, and those who don't know they have been hacked." John T. Chambers Security is not a feature ‼ - @ianaya89 5
  6. ! Security is not a feature ‼ - @ianaya89 6

  7. ! Security is not a feature ‼ - @ianaya89 7

  8. Security is not a feature ‼ - @ianaya89 8

  9. Security is not a feature ‼ - @ianaya89 9

  10. Security is not a feature ‼ - @ianaya89 10

  11. Security is not a feature ‼ - @ianaya89 11

  12. ! ~11.3 Billons informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks Security is not a feature ‼

    - @ianaya89 12
  13. Security is not a feature ‼ - @ianaya89 13

  14. ! Security is not a feature ‼ - @ianaya89 14

  15. ! ... ! Uneven Competition Security is not a feature

    ‼ - @ianaya89 15
  16. ! Security is not a feature ‼ - @ianaya89 16

  17. ! Lose Money Security is not a feature ‼ -

    @ianaya89 17
  18. ! Lose Trust Security is not a feature ‼ -

    @ianaya89 18
  19. ! Security is not a feature ‼ - @ianaya89 19

  20. ✍ Culture • ! Training • " Politics • ⏱

    Time • $ Money % Security is not a feature ‼ - @ianaya89 20
  21. "If you spend more on coffee than on IT security,

    you will be hacked. What's more, you deserve to be hacked" Richard A. Clarke Security is not a feature ‼ - @ianaya89 21
  22. ! " Invest! Security is not a feature ‼ -

    @ianaya89 22
  23. ! Security is not a feature ‼ - @ianaya89 23

  24. ! Systemic Thinking Security is not a feature ‼ -

    @ianaya89 24
  25. ! Vulnerabilities Security is not a feature ‼ - @ianaya89

    25
  26. "Vulnerabilities are like ants, they are everywhere" Nacho Anaya Security

    is not a feature ‼ - @ianaya89 26
  27. Heartbleed Security is not a feature ‼ - @ianaya89 27

  28. Security is not a feature ‼ - @ianaya89 28

  29. ! Web is Complex Security is not a feature ‼

    - @ianaya89 29
  30. ! HTTP/S - WebSockets - DNS - TCP FTP -

    IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature ‼ - @ianaya89 30
  31. ! Browsers too Security is not a feature ‼ -

    @ianaya89 31
  32. ! HTML - CSS - JS Security is not a

    feature ‼ - @ianaya89 32
  33. ! DOM - Geolocation - Multimedia Fetch - Web Sockets

    - Storage Security is not a feature ‼ - @ianaya89 33
  34. ! Security is not a feature ‼ - @ianaya89 34

  35. ! The Solution Security is not a feature ‼ -

    @ianaya89 35
  36. ! No perfect solution Security is not a feature ‼

    - @ianaya89 36
  37. ! But we can be ready Security is not a

    feature ‼ - @ianaya89 37
  38. ! Security is not a feature ‼ - @ianaya89 38

  39. ! Security is not "nice to have" Security is not

    a feature ‼ - @ianaya89 39
  40. ! Security is by default Security is not a feature

    ‼ - @ianaya89 40
  41. ! Assume the worst Security is not a feature ‼

    - @ianaya89 41
  42. ALWAYS Security is not a feature ‼ - @ianaya89 42

  43. ! Your app is your bestie Security is not a

    feature ‼ - @ianaya89 43
  44. ! Input vectors Security is not a feature ‼ -

    @ianaya89 44
  45. ! Query String - URL Path - Request Body -

    Cookies Request Headers - Form Fields - File Inputs Emails - Web Socket - Browser Storage - Hooks Security is not a feature ‼ - @ianaya89 45
  46. ⚠ Never trust your users Security is not a feature

    ‼ - @ianaya89 46
  47. ! Security is not a feature ‼ - @ianaya89 47

  48. ! HTTPS ! 2021 Security is not a feature ‼

    - @ianaya89 48
  49. Security is not a feature ‼ - @ianaya89 49

  50. ⬇ LTS Security is not a feature ‼ - @ianaya89

    50
  51. Dependencies Security is not a feature ‼ - @ianaya89 51

  52. Security is not a feature ‼ - @ianaya89 52

  53. ! "Your code is not your code, but their bugs

    are your bugs." Nacho Anaya Security is not a feature ‼ - @ianaya89 53
  54. ! eslint-scope eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes Security is not a feature ‼ -

    @ianaya89 54
  55. Security is not a feature ‼ - @ianaya89 55

  56. Security is not a feature ‼ - @ianaya89 56

  57. Security is not a feature ‼ - @ianaya89 57

  58. ! SQL / No-SQL Injection Security is not a feature

    ‼ - @ianaya89 58
  59. Security is not a feature ‼ - @ianaya89 59

  60. Security is not a feature ‼ - @ianaya89 60

  61. ! SQL / No-SQL Injection • ‼ Server Side Validation

    • " Sanitize queries • # ORM / ODM Security is not a feature ‼ - @ianaya89 61
  62. ! XSS Security is not a feature ‼ - @ianaya89

    62
  63. Security is not a feature ‼ - @ianaya89 63

  64. ! XSS • ‼ Server Side Validation • " Sanitize

    inputs • # HTML encoding • $ Frameworks • % HTTP Secure Response Headers Security is not a feature ‼ - @ianaya89 64
  65. ! XSS Headers - HSTS - HPKP - X-Frame-Options -

    X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy ! Secure Headers Security is not a feature ‼ - @ianaya89 65
  66. ! DoS Security is not a feature ‼ - @ianaya89

    66
  67. Security is not a feature ‼ - @ianaya89 67

  68. ! DoS • ⌛ Rate Limiting • ❌ Error handling

    • # Explicit Crashes • $ Exponential Regex • % IP Banning Security is not a feature ‼ - @ianaya89 68
  69. ! Sessions & Tokens Security is not a feature ‼

    - @ianaya89 69
  70. ! Sessions & Tokens • ⏱ Expirable • " Allow

    List or Deny List • # OAUTH - OpenID • $ Single Sign On Security is not a feature ‼ - @ianaya89 70
  71. ! Passwords Security is not a feature ‼ - @ianaya89

    71
  72. Time to crack Security is not a feature ‼ -

    @ianaya89 72
  73. ! Passwords • ! hash + salt (bcrypt) • "

    Strong Passwords (Entropy) • # 2FA / MFA Security is not a feature ‼ - @ianaya89 73
  74. ! " Have I been pawned? https://haveibeenpwned.com Security is not

    a feature ‼ - @ianaya89 74
  75. ! " Have I been pawned? https://haveibeenpwned.com Security is not

    a feature ‼ - @ianaya89 75
  76. ! " Have I been pawned? ! API & DB

    Security is not a feature ‼ - @ianaya89 76
  77. ! Dev Passwords & Secrets • ! CI • "

    Dev Tools • # Cloud • $ Keys - Tokens - Secrets Security is not a feature ‼ - @ianaya89 77
  78. ! Dev Passwords & Secrets • Blackbox • Keybase •

    GPG • Password Managers • Secret Manager (AWS) • MFA ! Security is not a feature ‼ - @ianaya89 78
  79. ! Cookies Security is not a feature ‼ - @ianaya89

    79
  80. ! " Cookies Flags • httpOnly • secure • SameSite

    Security is not a feature ‼ - @ianaya89 80
  81. ! ↩ Cookies Scoping • domain • path • expires

    Security is not a feature ‼ - @ianaya89 81
  82. ! Logging & Monitoring Security is not a feature ‼

    - @ianaya89 82
  83. ! " Logging & Monitoring • ! Monitoring: datadog /

    new relic • " Errors: sentry / bugsnag • # Logs: papertrail / loggly • $ Status: checkly / pingdom Security is not a feature ‼ - @ianaya89 83
  84. ! Sensitive Data Security is not a feature ‼ -

    @ianaya89 84
  85. Security is not a feature ‼ - @ianaya89 85

  86. Security is not a feature ‼ - @ianaya89 86

  87. ! OWASP Top 10 owasp.org Security is not a feature

    ‼ - @ianaya89 87
  88. ! WebGoat $ docker pull webgoat/webgoat-8.0 $ docker run -p

    8080:8080 -t webgoat/webgoat-8.0 Security is not a feature ‼ - @ianaya89 88
  89. ! Take Away Security is not a feature ‼ -

    @ianaya89 89
  90. Security is not a feature ‼ - @ianaya89 90

  91. ! Start taking care Security is not a feature ‼

    - @ianaya89 91
  92. ! Security is not a feature ‼ - @ianaya89 92

  93. ! Thanks! ! Questions? ! @ianaya89 Security is not a

    feature ‼ - @ianaya89 93