Security is not a feature‼️

Transcript

1. Security is not a feature !" Security is not a

   feature ‼ - @ianaya89 1

2. ! Nacho Anaya ! @ianaya89 • ! Lead OSS Engineer

   @ChecklyHQ • " Ambassador @Auth0 • # Streaming @ianaya89 Security is not a feature ‼ - @ianaya89 2

3. ! Security is not a feature ‼ - @ianaya89 3

4. !" Security is not a feature ‼ - @ianaya89 4

5. "There are two types of companies: those that have been

   hacked, and those who don't know they have been hacked." John T. Chambers Security is not a feature ‼ - @ianaya89 5

6. ! Security is not a feature ‼ - @ianaya89 6

7. ! Security is not a feature ‼ - @ianaya89 7

8. Security is not a feature ‼ - @ianaya89 8

9. Security is not a feature ‼ - @ianaya89 9

10. Security is not a feature ‼ - @ianaya89 10

11. Security is not a feature ‼ - @ianaya89 11

12. ! ~11.3 Billons informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks Security is not a feature ‼

    - @ianaya89 12

13. Security is not a feature ‼ - @ianaya89 13

14. ! Security is not a feature ‼ - @ianaya89 14

15. ! ... ! Uneven Competition Security is not a feature

    ‼ - @ianaya89 15

16. ! Security is not a feature ‼ - @ianaya89 16

17. ! Lose Money Security is not a feature ‼ -

    @ianaya89 17

18. ! Lose Trust Security is not a feature ‼ -

    @ianaya89 18

19. ! Security is not a feature ‼ - @ianaya89 19

20. ✍ Culture • ! Training • " Politics • ⏱

    Time • $ Money % Security is not a feature ‼ - @ianaya89 20

21. "If you spend more on coffee than on IT security,

    you will be hacked. What's more, you deserve to be hacked" Richard A. Clarke Security is not a feature ‼ - @ianaya89 21

22. ! " Invest! Security is not a feature ‼ -

    @ianaya89 22

23. ! Security is not a feature ‼ - @ianaya89 23

24. ! Systemic Thinking Security is not a feature ‼ -

    @ianaya89 24

25. ! Vulnerabilities Security is not a feature ‼ - @ianaya89

    25

26. "Vulnerabilities are like ants, they are everywhere" Nacho Anaya Security

    is not a feature ‼ - @ianaya89 26

27. Heartbleed Security is not a feature ‼ - @ianaya89 27

28. Security is not a feature ‼ - @ianaya89 28

29. ! Web is Complex Security is not a feature ‼

    - @ianaya89 29

30. ! HTTP/S - WebSockets - DNS - TCP FTP -

    IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature ‼ - @ianaya89 30

31. ! Browsers too Security is not a feature ‼ -

    @ianaya89 31

32. ! HTML - CSS - JS Security is not a

    feature ‼ - @ianaya89 32

33. ! DOM - Geolocation - Multimedia Fetch - Web Sockets

    - Storage Security is not a feature ‼ - @ianaya89 33

34. ! Security is not a feature ‼ - @ianaya89 34

35. ! The Solution Security is not a feature ‼ -

    @ianaya89 35

36. ! No perfect solution Security is not a feature ‼

    - @ianaya89 36

37. ! But we can be ready Security is not a

    feature ‼ - @ianaya89 37

38. ! Security is not a feature ‼ - @ianaya89 38

39. ! Security is not "nice to have" Security is not

    a feature ‼ - @ianaya89 39

40. ! Security is by default Security is not a feature

    ‼ - @ianaya89 40

41. ! Assume the worst Security is not a feature ‼

    - @ianaya89 41

42. ALWAYS Security is not a feature ‼ - @ianaya89 42

43. ! Your app is your bestie Security is not a

    feature ‼ - @ianaya89 43

44. ! Input vectors Security is not a feature ‼ -

    @ianaya89 44

45. ! Query String - URL Path - Request Body -

    Cookies Request Headers - Form Fields - File Inputs Emails - Web Socket - Browser Storage - Hooks Security is not a feature ‼ - @ianaya89 45

46. ⚠ Never trust your users Security is not a feature

    ‼ - @ianaya89 46

47. ! Security is not a feature ‼ - @ianaya89 47

48. ! HTTPS ! 2021 Security is not a feature ‼

    - @ianaya89 48

49. Security is not a feature ‼ - @ianaya89 49

50. ⬇ LTS Security is not a feature ‼ - @ianaya89

    50

51. Dependencies Security is not a feature ‼ - @ianaya89 51

52. Security is not a feature ‼ - @ianaya89 52

53. ! "Your code is not your code, but their bugs

    are your bugs." Nacho Anaya Security is not a feature ‼ - @ianaya89 53

54. ! eslint-scope eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes Security is not a feature ‼ -

    @ianaya89 54

55. Security is not a feature ‼ - @ianaya89 55

56. Security is not a feature ‼ - @ianaya89 56

57. Security is not a feature ‼ - @ianaya89 57

58. ! SQL / No-SQL Injection Security is not a feature

    ‼ - @ianaya89 58

59. Security is not a feature ‼ - @ianaya89 59

60. Security is not a feature ‼ - @ianaya89 60

61. ! SQL / No-SQL Injection • ‼ Server Side Validation

    • " Sanitize queries • # ORM / ODM Security is not a feature ‼ - @ianaya89 61

62. ! XSS Security is not a feature ‼ - @ianaya89

    62

63. Security is not a feature ‼ - @ianaya89 63

64. ! XSS • ‼ Server Side Validation • " Sanitize

    inputs • # HTML encoding • $ Frameworks • % HTTP Secure Response Headers Security is not a feature ‼ - @ianaya89 64

65. ! XSS Headers - HSTS - HPKP - X-Frame-Options -

    X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy ! Secure Headers Security is not a feature ‼ - @ianaya89 65

66. ! DoS Security is not a feature ‼ - @ianaya89

    66

67. Security is not a feature ‼ - @ianaya89 67

68. ! DoS • ⌛ Rate Limiting • ❌ Error handling

    • # Explicit Crashes • $ Exponential Regex • % IP Banning Security is not a feature ‼ - @ianaya89 68

69. ! Sessions & Tokens Security is not a feature ‼

    - @ianaya89 69

70. ! Sessions & Tokens • ⏱ Expirable • " Allow

    List or Deny List • # OAUTH - OpenID • $ Single Sign On Security is not a feature ‼ - @ianaya89 70

71. ! Passwords Security is not a feature ‼ - @ianaya89

    71

72. Time to crack Security is not a feature ‼ -

    @ianaya89 72

73. ! Passwords • ! hash + salt (bcrypt) • "

    Strong Passwords (Entropy) • # 2FA / MFA Security is not a feature ‼ - @ianaya89 73

74. ! " Have I been pawned? https://haveibeenpwned.com Security is not

    a feature ‼ - @ianaya89 74

75. ! " Have I been pawned? https://haveibeenpwned.com Security is not

    a feature ‼ - @ianaya89 75

76. ! " Have I been pawned? ! API & DB

    Security is not a feature ‼ - @ianaya89 76

77. ! Dev Passwords & Secrets • ! CI • "

    Dev Tools • # Cloud • $ Keys - Tokens - Secrets Security is not a feature ‼ - @ianaya89 77

78. ! Dev Passwords & Secrets • Blackbox • Keybase •

    GPG • Password Managers • Secret Manager (AWS) • MFA ! Security is not a feature ‼ - @ianaya89 78

79. ! Cookies Security is not a feature ‼ - @ianaya89

    79

80. ! " Cookies Flags • httpOnly • secure • SameSite

    Security is not a feature ‼ - @ianaya89 80

81. ! ↩ Cookies Scoping • domain • path • expires

    Security is not a feature ‼ - @ianaya89 81

82. ! Logging & Monitoring Security is not a feature ‼

    - @ianaya89 82

83. ! " Logging & Monitoring • ! Monitoring: datadog /

    new relic • " Errors: sentry / bugsnag • # Logs: papertrail / loggly • $ Status: checkly / pingdom Security is not a feature ‼ - @ianaya89 83

84. ! Sensitive Data Security is not a feature ‼ -

    @ianaya89 84

85. Security is not a feature ‼ - @ianaya89 85

86. Security is not a feature ‼ - @ianaya89 86

87. ! OWASP Top 10 owasp.org Security is not a feature

    ‼ - @ianaya89 87

88. ! WebGoat $ docker pull webgoat/webgoat-8.0 $ docker run -p

    8080:8080 -t webgoat/webgoat-8.0 Security is not a feature ‼ - @ianaya89 88

89. ! Take Away Security is not a feature ‼ -

    @ianaya89 89

90. Security is not a feature ‼ - @ianaya89 90

91. ! Start taking care Security is not a feature ‼

    - @ianaya89 91

92. ! Security is not a feature ‼ - @ianaya89 92

93. ! Thanks! ! Questions? ! @ianaya89 Security is not a

    feature ‼ - @ianaya89 93