Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security is not a feature‼️
Search
Ignacio Anaya
February 27, 2021
Programming
540
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Security is not a feature‼️
JS World 2021
Ignacio Anaya
February 27, 2021
More Decks by Ignacio Anaya
See All by Ignacio Anaya
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
170
Security is not a feature!
ianaya89
1
400
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
150
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
310
Vue.js, PWA & The Subway Dilemma
ianaya89
0
230
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
170
hey-devs-time-to-care-about-web-apps-security.pdf
ianaya89
0
140
A Token Walks into SPA
ianaya89
0
640
Other Decks in Programming
See All in Programming
エンジニアと一緒にテストコードの設計と実装を改善した話
mototakatsu
0
260
エージェンティックRAGにAWSで入門しよう!
har1101
9
1.9k
IBM Bobを活用したレガシーアプリの最新化
oniak3ibm
PRO
1
240
エンジニアにデザインハーネスを 〜デザインプロセスを規定するためのハーネス〜 / Design harness from an engineer's perspective
rkaga
2
1.2k
AI 輔助遺留系統現代化的經驗分享
jame2408
1
1.2k
Performance Engineering for Everyone
elenatanasoiu
0
260
LLM本来の能力を解き放つサンドボックス技術とAI民主化への適用
yukukotani
3
4.9k
Skillsは効率化、Agentsは"自分の拡張"——Builder時代のエージェント編成(CC Night 2026)
wemra
1
200
TypeScript+Orvalで実現する型安全かつ堅牢でスケーラブルなマルチチャネル通知基盤 / TSKaigi Night talks ~after conference~
d0riven
0
390
コーディングルールの鮮度を保ちたい for SRE NEXT 2026 / keep-fresh-go-internal-conventions-sre-next-2026
handlename
0
130
気圧・高度・GPSを記録&可視化するアプリ「Koudo」を作った話
hjmkth
1
350
Language Server 使ってる? 〜VSCode と Zed の場合〜 / Are you using a Language Server? ~For VS Code and Zed~
handlename
0
840
Featured
See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Agile that works and the tools we love
rasmusluckow
331
22k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
3.2k
Agile Actions for Facilitating Distributed Teams - ADO2019
mkilby
0
220
We Have a Design System, Now What?
morganepeng
55
8.2k
Building a Scalable Design System with Sketch
lauravandoore
463
34k
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
63
55k
From π to Pie charts
rasagy
0
230
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
254
22k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.4k
My Coaching Mixtape
mlcsv
0
170
Typedesign – Prime Four
hannesfritz
42
3.1k
Transcript
Security is not a feature !" Security is not a
feature ‼ - @ianaya89 1
! Nacho Anaya ! @ianaya89 • ! Lead OSS Engineer
@ChecklyHQ • " Ambassador @Auth0 • # Streaming @ianaya89 Security is not a feature ‼ - @ianaya89 2
! Security is not a feature ‼ - @ianaya89 3
!" Security is not a feature ‼ - @ianaya89 4
"There are two types of companies: those that have been
hacked, and those who don't know they have been hacked." John T. Chambers Security is not a feature ‼ - @ianaya89 5
! Security is not a feature ‼ - @ianaya89 6
! Security is not a feature ‼ - @ianaya89 7
Security is not a feature ‼ - @ianaya89 8
Security is not a feature ‼ - @ianaya89 9
Security is not a feature ‼ - @ianaya89 10
Security is not a feature ‼ - @ianaya89 11
! ~11.3 Billons informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks Security is not a feature ‼
- @ianaya89 12
Security is not a feature ‼ - @ianaya89 13
! Security is not a feature ‼ - @ianaya89 14
! ... ! Uneven Competition Security is not a feature
‼ - @ianaya89 15
! Security is not a feature ‼ - @ianaya89 16
! Lose Money Security is not a feature ‼ -
@ianaya89 17
! Lose Trust Security is not a feature ‼ -
@ianaya89 18
! Security is not a feature ‼ - @ianaya89 19
✍ Culture • ! Training • " Politics • ⏱
Time • $ Money % Security is not a feature ‼ - @ianaya89 20
"If you spend more on coffee than on IT security,
you will be hacked. What's more, you deserve to be hacked" Richard A. Clarke Security is not a feature ‼ - @ianaya89 21
! " Invest! Security is not a feature ‼ -
@ianaya89 22
! Security is not a feature ‼ - @ianaya89 23
! Systemic Thinking Security is not a feature ‼ -
@ianaya89 24
! Vulnerabilities Security is not a feature ‼ - @ianaya89
25
"Vulnerabilities are like ants, they are everywhere" Nacho Anaya Security
is not a feature ‼ - @ianaya89 26
Heartbleed Security is not a feature ‼ - @ianaya89 27
Security is not a feature ‼ - @ianaya89 28
! Web is Complex Security is not a feature ‼
- @ianaya89 29
! HTTP/S - WebSockets - DNS - TCP FTP -
IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature ‼ - @ianaya89 30
! Browsers too Security is not a feature ‼ -
@ianaya89 31
! HTML - CSS - JS Security is not a
feature ‼ - @ianaya89 32
! DOM - Geolocation - Multimedia Fetch - Web Sockets
- Storage Security is not a feature ‼ - @ianaya89 33
! Security is not a feature ‼ - @ianaya89 34
! The Solution Security is not a feature ‼ -
@ianaya89 35
! No perfect solution Security is not a feature ‼
- @ianaya89 36
! But we can be ready Security is not a
feature ‼ - @ianaya89 37
! Security is not a feature ‼ - @ianaya89 38
! Security is not "nice to have" Security is not
a feature ‼ - @ianaya89 39
! Security is by default Security is not a feature
‼ - @ianaya89 40
! Assume the worst Security is not a feature ‼
- @ianaya89 41
ALWAYS Security is not a feature ‼ - @ianaya89 42
! Your app is your bestie Security is not a
feature ‼ - @ianaya89 43
! Input vectors Security is not a feature ‼ -
@ianaya89 44
! Query String - URL Path - Request Body -
Cookies Request Headers - Form Fields - File Inputs Emails - Web Socket - Browser Storage - Hooks Security is not a feature ‼ - @ianaya89 45
⚠ Never trust your users Security is not a feature
‼ - @ianaya89 46
! Security is not a feature ‼ - @ianaya89 47
! HTTPS ! 2021 Security is not a feature ‼
- @ianaya89 48
Security is not a feature ‼ - @ianaya89 49
⬇ LTS Security is not a feature ‼ - @ianaya89
50
Dependencies Security is not a feature ‼ - @ianaya89 51
Security is not a feature ‼ - @ianaya89 52
! "Your code is not your code, but their bugs
are your bugs." Nacho Anaya Security is not a feature ‼ - @ianaya89 53
! eslint-scope eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes Security is not a feature ‼ -
@ianaya89 54
Security is not a feature ‼ - @ianaya89 55
Security is not a feature ‼ - @ianaya89 56
Security is not a feature ‼ - @ianaya89 57
! SQL / No-SQL Injection Security is not a feature
‼ - @ianaya89 58
Security is not a feature ‼ - @ianaya89 59
Security is not a feature ‼ - @ianaya89 60
! SQL / No-SQL Injection • ‼ Server Side Validation
• " Sanitize queries • # ORM / ODM Security is not a feature ‼ - @ianaya89 61
! XSS Security is not a feature ‼ - @ianaya89
62
Security is not a feature ‼ - @ianaya89 63
! XSS • ‼ Server Side Validation • " Sanitize
inputs • # HTML encoding • $ Frameworks • % HTTP Secure Response Headers Security is not a feature ‼ - @ianaya89 64
! XSS Headers - HSTS - HPKP - X-Frame-Options -
X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy ! Secure Headers Security is not a feature ‼ - @ianaya89 65
! DoS Security is not a feature ‼ - @ianaya89
66
Security is not a feature ‼ - @ianaya89 67
! DoS • ⌛ Rate Limiting • ❌ Error handling
• # Explicit Crashes • $ Exponential Regex • % IP Banning Security is not a feature ‼ - @ianaya89 68
! Sessions & Tokens Security is not a feature ‼
- @ianaya89 69
! Sessions & Tokens • ⏱ Expirable • " Allow
List or Deny List • # OAUTH - OpenID • $ Single Sign On Security is not a feature ‼ - @ianaya89 70
! Passwords Security is not a feature ‼ - @ianaya89
71
Time to crack Security is not a feature ‼ -
@ianaya89 72
! Passwords • ! hash + salt (bcrypt) • "
Strong Passwords (Entropy) • # 2FA / MFA Security is not a feature ‼ - @ianaya89 73
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature ‼ - @ianaya89 74
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature ‼ - @ianaya89 75
! " Have I been pawned? ! API & DB
Security is not a feature ‼ - @ianaya89 76
! Dev Passwords & Secrets • ! CI • "
Dev Tools • # Cloud • $ Keys - Tokens - Secrets Security is not a feature ‼ - @ianaya89 77
! Dev Passwords & Secrets • Blackbox • Keybase •
GPG • Password Managers • Secret Manager (AWS) • MFA ! Security is not a feature ‼ - @ianaya89 78
! Cookies Security is not a feature ‼ - @ianaya89
79
! " Cookies Flags • httpOnly • secure • SameSite
Security is not a feature ‼ - @ianaya89 80
! ↩ Cookies Scoping • domain • path • expires
Security is not a feature ‼ - @ianaya89 81
! Logging & Monitoring Security is not a feature ‼
- @ianaya89 82
! " Logging & Monitoring • ! Monitoring: datadog /
new relic • " Errors: sentry / bugsnag • # Logs: papertrail / loggly • $ Status: checkly / pingdom Security is not a feature ‼ - @ianaya89 83
! Sensitive Data Security is not a feature ‼ -
@ianaya89 84
Security is not a feature ‼ - @ianaya89 85
Security is not a feature ‼ - @ianaya89 86
! OWASP Top 10 owasp.org Security is not a feature
‼ - @ianaya89 87
! WebGoat $ docker pull webgoat/webgoat-8.0 $ docker run -p
8080:8080 -t webgoat/webgoat-8.0 Security is not a feature ‼ - @ianaya89 88
! Take Away Security is not a feature ‼ -
@ianaya89 89
Security is not a feature ‼ - @ianaya89 90
! Start taking care Security is not a feature ‼
- @ianaya89 91
! Security is not a feature ‼ - @ianaya89 92
! Thanks! ! Questions? ! @ianaya89 Security is not a
feature ‼ - @ianaya89 93