Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security is not a feature‼️
Search
Ignacio Anaya
February 27, 2021
Programming
2
480
Security is not a feature‼️
JS World 2021
Ignacio Anaya
February 27, 2021
Tweet
Share
More Decks by Ignacio Anaya
See All by Ignacio Anaya
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
140
Security is not a feature!
ianaya89
1
350
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
120
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
280
Vue.js, PWA & The Subway Dilemma
ianaya89
0
190
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
130
hey-devs-time-to-care-about-web-apps-security.pdf
ianaya89
0
110
A Token Walks into SPA
ianaya89
0
580
Other Decks in Programming
See All in Programming
Benchmark
sysong
0
270
Julia という言語について (FP in Julia « SIDE: F ») for 関数型まつり2025
antimon2
3
980
Is Xcode slowly dying out in 2025?
uetyo
1
210
PHPでWebSocketサーバーを実装しよう2025
kubotak
0
220
エラーって何種類あるの?
kajitack
5
310
Team topologies and the microservice architecture: a synergistic relationship
cer
PRO
0
1.1k
Cline指示通りに動かない? AI小説エージェントで学ぶ指示書の書き方と自動アップデートの仕組み
kamomeashizawa
1
580
都市をデータで見るってこういうこと PLATEAU属性情報入門
nokonoko1203
1
570
PHP 8.4の新機能「プロパティフック」から学ぶオブジェクト指向設計とリスコフの置換原則
kentaroutakeda
2
650
PicoRuby on Rails
makicamel
2
110
明示と暗黙 ー PHPとGoの インターフェイスの違いを知る
shimabox
2
370
Webの外へ飛び出せ NativePHPが切り拓くPHPの未来
takuyakatsusa
2
430
Featured
See All Featured
BBQ
matthewcrist
89
9.7k
VelocityConf: Rendering Performance Case Studies
addyosmani
330
24k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.8k
Why Our Code Smells
bkeepers
PRO
337
57k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
930
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
How to train your dragon (web standard)
notwaldorf
94
6.1k
Bash Introduction
62gerente
614
210k
The Power of CSS Pseudo Elements
geoffreycrofte
77
5.8k
Writing Fast Ruby
sferik
628
62k
Docker and Python
trallard
44
3.4k
Transcript
Security is not a feature !" Security is not a
feature ‼ - @ianaya89 1
! Nacho Anaya ! @ianaya89 • ! Lead OSS Engineer
@ChecklyHQ • " Ambassador @Auth0 • # Streaming @ianaya89 Security is not a feature ‼ - @ianaya89 2
! Security is not a feature ‼ - @ianaya89 3
!" Security is not a feature ‼ - @ianaya89 4
"There are two types of companies: those that have been
hacked, and those who don't know they have been hacked." John T. Chambers Security is not a feature ‼ - @ianaya89 5
! Security is not a feature ‼ - @ianaya89 6
! Security is not a feature ‼ - @ianaya89 7
Security is not a feature ‼ - @ianaya89 8
Security is not a feature ‼ - @ianaya89 9
Security is not a feature ‼ - @ianaya89 10
Security is not a feature ‼ - @ianaya89 11
! ~11.3 Billons informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks Security is not a feature ‼
- @ianaya89 12
Security is not a feature ‼ - @ianaya89 13
! Security is not a feature ‼ - @ianaya89 14
! ... ! Uneven Competition Security is not a feature
‼ - @ianaya89 15
! Security is not a feature ‼ - @ianaya89 16
! Lose Money Security is not a feature ‼ -
@ianaya89 17
! Lose Trust Security is not a feature ‼ -
@ianaya89 18
! Security is not a feature ‼ - @ianaya89 19
✍ Culture • ! Training • " Politics • ⏱
Time • $ Money % Security is not a feature ‼ - @ianaya89 20
"If you spend more on coffee than on IT security,
you will be hacked. What's more, you deserve to be hacked" Richard A. Clarke Security is not a feature ‼ - @ianaya89 21
! " Invest! Security is not a feature ‼ -
@ianaya89 22
! Security is not a feature ‼ - @ianaya89 23
! Systemic Thinking Security is not a feature ‼ -
@ianaya89 24
! Vulnerabilities Security is not a feature ‼ - @ianaya89
25
"Vulnerabilities are like ants, they are everywhere" Nacho Anaya Security
is not a feature ‼ - @ianaya89 26
Heartbleed Security is not a feature ‼ - @ianaya89 27
Security is not a feature ‼ - @ianaya89 28
! Web is Complex Security is not a feature ‼
- @ianaya89 29
! HTTP/S - WebSockets - DNS - TCP FTP -
IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature ‼ - @ianaya89 30
! Browsers too Security is not a feature ‼ -
@ianaya89 31
! HTML - CSS - JS Security is not a
feature ‼ - @ianaya89 32
! DOM - Geolocation - Multimedia Fetch - Web Sockets
- Storage Security is not a feature ‼ - @ianaya89 33
! Security is not a feature ‼ - @ianaya89 34
! The Solution Security is not a feature ‼ -
@ianaya89 35
! No perfect solution Security is not a feature ‼
- @ianaya89 36
! But we can be ready Security is not a
feature ‼ - @ianaya89 37
! Security is not a feature ‼ - @ianaya89 38
! Security is not "nice to have" Security is not
a feature ‼ - @ianaya89 39
! Security is by default Security is not a feature
‼ - @ianaya89 40
! Assume the worst Security is not a feature ‼
- @ianaya89 41
ALWAYS Security is not a feature ‼ - @ianaya89 42
! Your app is your bestie Security is not a
feature ‼ - @ianaya89 43
! Input vectors Security is not a feature ‼ -
@ianaya89 44
! Query String - URL Path - Request Body -
Cookies Request Headers - Form Fields - File Inputs Emails - Web Socket - Browser Storage - Hooks Security is not a feature ‼ - @ianaya89 45
⚠ Never trust your users Security is not a feature
‼ - @ianaya89 46
! Security is not a feature ‼ - @ianaya89 47
! HTTPS ! 2021 Security is not a feature ‼
- @ianaya89 48
Security is not a feature ‼ - @ianaya89 49
⬇ LTS Security is not a feature ‼ - @ianaya89
50
Dependencies Security is not a feature ‼ - @ianaya89 51
Security is not a feature ‼ - @ianaya89 52
! "Your code is not your code, but their bugs
are your bugs." Nacho Anaya Security is not a feature ‼ - @ianaya89 53
! eslint-scope eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes Security is not a feature ‼ -
@ianaya89 54
Security is not a feature ‼ - @ianaya89 55
Security is not a feature ‼ - @ianaya89 56
Security is not a feature ‼ - @ianaya89 57
! SQL / No-SQL Injection Security is not a feature
‼ - @ianaya89 58
Security is not a feature ‼ - @ianaya89 59
Security is not a feature ‼ - @ianaya89 60
! SQL / No-SQL Injection • ‼ Server Side Validation
• " Sanitize queries • # ORM / ODM Security is not a feature ‼ - @ianaya89 61
! XSS Security is not a feature ‼ - @ianaya89
62
Security is not a feature ‼ - @ianaya89 63
! XSS • ‼ Server Side Validation • " Sanitize
inputs • # HTML encoding • $ Frameworks • % HTTP Secure Response Headers Security is not a feature ‼ - @ianaya89 64
! XSS Headers - HSTS - HPKP - X-Frame-Options -
X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy ! Secure Headers Security is not a feature ‼ - @ianaya89 65
! DoS Security is not a feature ‼ - @ianaya89
66
Security is not a feature ‼ - @ianaya89 67
! DoS • ⌛ Rate Limiting • ❌ Error handling
• # Explicit Crashes • $ Exponential Regex • % IP Banning Security is not a feature ‼ - @ianaya89 68
! Sessions & Tokens Security is not a feature ‼
- @ianaya89 69
! Sessions & Tokens • ⏱ Expirable • " Allow
List or Deny List • # OAUTH - OpenID • $ Single Sign On Security is not a feature ‼ - @ianaya89 70
! Passwords Security is not a feature ‼ - @ianaya89
71
Time to crack Security is not a feature ‼ -
@ianaya89 72
! Passwords • ! hash + salt (bcrypt) • "
Strong Passwords (Entropy) • # 2FA / MFA Security is not a feature ‼ - @ianaya89 73
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature ‼ - @ianaya89 74
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature ‼ - @ianaya89 75
! " Have I been pawned? ! API & DB
Security is not a feature ‼ - @ianaya89 76
! Dev Passwords & Secrets • ! CI • "
Dev Tools • # Cloud • $ Keys - Tokens - Secrets Security is not a feature ‼ - @ianaya89 77
! Dev Passwords & Secrets • Blackbox • Keybase •
GPG • Password Managers • Secret Manager (AWS) • MFA ! Security is not a feature ‼ - @ianaya89 78
! Cookies Security is not a feature ‼ - @ianaya89
79
! " Cookies Flags • httpOnly • secure • SameSite
Security is not a feature ‼ - @ianaya89 80
! ↩ Cookies Scoping • domain • path • expires
Security is not a feature ‼ - @ianaya89 81
! Logging & Monitoring Security is not a feature ‼
- @ianaya89 82
! " Logging & Monitoring • ! Monitoring: datadog /
new relic • " Errors: sentry / bugsnag • # Logs: papertrail / loggly • $ Status: checkly / pingdom Security is not a feature ‼ - @ianaya89 83
! Sensitive Data Security is not a feature ‼ -
@ianaya89 84
Security is not a feature ‼ - @ianaya89 85
Security is not a feature ‼ - @ianaya89 86
! OWASP Top 10 owasp.org Security is not a feature
‼ - @ianaya89 87
! WebGoat $ docker pull webgoat/webgoat-8.0 $ docker run -p
8080:8080 -t webgoat/webgoat-8.0 Security is not a feature ‼ - @ianaya89 88
! Take Away Security is not a feature ‼ -
@ianaya89 89
Security is not a feature ‼ - @ianaya89 90
! Start taking care Security is not a feature ‼
- @ianaya89 91
! Security is not a feature ‼ - @ianaya89 92
! Thanks! ! Questions? ! @ianaya89 Security is not a
feature ‼ - @ianaya89 93