Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security is not a feature‼️
Search
Ignacio Anaya
February 27, 2021
Programming
2
490
Security is not a feature‼️
JS World 2021
Ignacio Anaya
February 27, 2021
Tweet
Share
More Decks by Ignacio Anaya
See All by Ignacio Anaya
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
140
Security is not a feature!
ianaya89
1
350
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
120
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
280
Vue.js, PWA & The Subway Dilemma
ianaya89
0
190
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
140
hey-devs-time-to-care-about-web-apps-security.pdf
ianaya89
0
110
A Token Walks into SPA
ianaya89
0
580
Other Decks in Programming
See All in Programming
11年かかって やっとVibe Codingに 時代が追いつきましたね
yimajo
0
170
Gemini CLI のはじめ方
ttnyt8701
1
110
マッチングアプリにおけるフリックUIで苦労したこと
yuheiito
0
240
知って得する@cloudflare_vite-pluginのあれこれ
chimame
1
120
新しいモバイルアプリ勉強会(仮)について
uetyo
1
190
脱Riverpod?fqueryで考える、TanStack Queryライクなアーキテクチャの可能性
ostk0069
0
570
MCPを使ってイベントソーシングのAIコーディングを効率化する / Streamlining Event Sourcing AI Coding with MCP
tomohisa
0
190
Go製CLIツールをnpmで配布するには
syumai
0
720
オンコール⼊⾨〜ページャーが鳴る前に、あなたが備えられること〜 / Before The Pager Rings
yktakaha4
2
1.1k
中級グラフィックス入門~効率的なメッシュレット描画~
projectasura
3
1.7k
Quality Gates in the Age of Agentic Coding
helmedeiros
PRO
1
110
Bedrock AgentCore ObservabilityによるAIエージェントの運用
licux
8
340
Featured
See All Featured
RailsConf 2023
tenderlove
30
1.2k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Faster Mobile Websites
deanohume
308
31k
Git: the NoSQL Database
bkeepers
PRO
431
65k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.4k
Fireside Chat
paigeccino
37
3.5k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
30
2.2k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Navigating Team Friction
lara
187
15k
Building Adaptive Systems
keathley
43
2.7k
Transcript
Security is not a feature !" Security is not a
feature ‼ - @ianaya89 1
! Nacho Anaya ! @ianaya89 • ! Lead OSS Engineer
@ChecklyHQ • " Ambassador @Auth0 • # Streaming @ianaya89 Security is not a feature ‼ - @ianaya89 2
! Security is not a feature ‼ - @ianaya89 3
!" Security is not a feature ‼ - @ianaya89 4
"There are two types of companies: those that have been
hacked, and those who don't know they have been hacked." John T. Chambers Security is not a feature ‼ - @ianaya89 5
! Security is not a feature ‼ - @ianaya89 6
! Security is not a feature ‼ - @ianaya89 7
Security is not a feature ‼ - @ianaya89 8
Security is not a feature ‼ - @ianaya89 9
Security is not a feature ‼ - @ianaya89 10
Security is not a feature ‼ - @ianaya89 11
! ~11.3 Billons informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks Security is not a feature ‼
- @ianaya89 12
Security is not a feature ‼ - @ianaya89 13
! Security is not a feature ‼ - @ianaya89 14
! ... ! Uneven Competition Security is not a feature
‼ - @ianaya89 15
! Security is not a feature ‼ - @ianaya89 16
! Lose Money Security is not a feature ‼ -
@ianaya89 17
! Lose Trust Security is not a feature ‼ -
@ianaya89 18
! Security is not a feature ‼ - @ianaya89 19
✍ Culture • ! Training • " Politics • ⏱
Time • $ Money % Security is not a feature ‼ - @ianaya89 20
"If you spend more on coffee than on IT security,
you will be hacked. What's more, you deserve to be hacked" Richard A. Clarke Security is not a feature ‼ - @ianaya89 21
! " Invest! Security is not a feature ‼ -
@ianaya89 22
! Security is not a feature ‼ - @ianaya89 23
! Systemic Thinking Security is not a feature ‼ -
@ianaya89 24
! Vulnerabilities Security is not a feature ‼ - @ianaya89
25
"Vulnerabilities are like ants, they are everywhere" Nacho Anaya Security
is not a feature ‼ - @ianaya89 26
Heartbleed Security is not a feature ‼ - @ianaya89 27
Security is not a feature ‼ - @ianaya89 28
! Web is Complex Security is not a feature ‼
- @ianaya89 29
! HTTP/S - WebSockets - DNS - TCP FTP -
IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature ‼ - @ianaya89 30
! Browsers too Security is not a feature ‼ -
@ianaya89 31
! HTML - CSS - JS Security is not a
feature ‼ - @ianaya89 32
! DOM - Geolocation - Multimedia Fetch - Web Sockets
- Storage Security is not a feature ‼ - @ianaya89 33
! Security is not a feature ‼ - @ianaya89 34
! The Solution Security is not a feature ‼ -
@ianaya89 35
! No perfect solution Security is not a feature ‼
- @ianaya89 36
! But we can be ready Security is not a
feature ‼ - @ianaya89 37
! Security is not a feature ‼ - @ianaya89 38
! Security is not "nice to have" Security is not
a feature ‼ - @ianaya89 39
! Security is by default Security is not a feature
‼ - @ianaya89 40
! Assume the worst Security is not a feature ‼
- @ianaya89 41
ALWAYS Security is not a feature ‼ - @ianaya89 42
! Your app is your bestie Security is not a
feature ‼ - @ianaya89 43
! Input vectors Security is not a feature ‼ -
@ianaya89 44
! Query String - URL Path - Request Body -
Cookies Request Headers - Form Fields - File Inputs Emails - Web Socket - Browser Storage - Hooks Security is not a feature ‼ - @ianaya89 45
⚠ Never trust your users Security is not a feature
‼ - @ianaya89 46
! Security is not a feature ‼ - @ianaya89 47
! HTTPS ! 2021 Security is not a feature ‼
- @ianaya89 48
Security is not a feature ‼ - @ianaya89 49
⬇ LTS Security is not a feature ‼ - @ianaya89
50
Dependencies Security is not a feature ‼ - @ianaya89 51
Security is not a feature ‼ - @ianaya89 52
! "Your code is not your code, but their bugs
are your bugs." Nacho Anaya Security is not a feature ‼ - @ianaya89 53
! eslint-scope eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes Security is not a feature ‼ -
@ianaya89 54
Security is not a feature ‼ - @ianaya89 55
Security is not a feature ‼ - @ianaya89 56
Security is not a feature ‼ - @ianaya89 57
! SQL / No-SQL Injection Security is not a feature
‼ - @ianaya89 58
Security is not a feature ‼ - @ianaya89 59
Security is not a feature ‼ - @ianaya89 60
! SQL / No-SQL Injection • ‼ Server Side Validation
• " Sanitize queries • # ORM / ODM Security is not a feature ‼ - @ianaya89 61
! XSS Security is not a feature ‼ - @ianaya89
62
Security is not a feature ‼ - @ianaya89 63
! XSS • ‼ Server Side Validation • " Sanitize
inputs • # HTML encoding • $ Frameworks • % HTTP Secure Response Headers Security is not a feature ‼ - @ianaya89 64
! XSS Headers - HSTS - HPKP - X-Frame-Options -
X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy ! Secure Headers Security is not a feature ‼ - @ianaya89 65
! DoS Security is not a feature ‼ - @ianaya89
66
Security is not a feature ‼ - @ianaya89 67
! DoS • ⌛ Rate Limiting • ❌ Error handling
• # Explicit Crashes • $ Exponential Regex • % IP Banning Security is not a feature ‼ - @ianaya89 68
! Sessions & Tokens Security is not a feature ‼
- @ianaya89 69
! Sessions & Tokens • ⏱ Expirable • " Allow
List or Deny List • # OAUTH - OpenID • $ Single Sign On Security is not a feature ‼ - @ianaya89 70
! Passwords Security is not a feature ‼ - @ianaya89
71
Time to crack Security is not a feature ‼ -
@ianaya89 72
! Passwords • ! hash + salt (bcrypt) • "
Strong Passwords (Entropy) • # 2FA / MFA Security is not a feature ‼ - @ianaya89 73
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature ‼ - @ianaya89 74
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature ‼ - @ianaya89 75
! " Have I been pawned? ! API & DB
Security is not a feature ‼ - @ianaya89 76
! Dev Passwords & Secrets • ! CI • "
Dev Tools • # Cloud • $ Keys - Tokens - Secrets Security is not a feature ‼ - @ianaya89 77
! Dev Passwords & Secrets • Blackbox • Keybase •
GPG • Password Managers • Secret Manager (AWS) • MFA ! Security is not a feature ‼ - @ianaya89 78
! Cookies Security is not a feature ‼ - @ianaya89
79
! " Cookies Flags • httpOnly • secure • SameSite
Security is not a feature ‼ - @ianaya89 80
! ↩ Cookies Scoping • domain • path • expires
Security is not a feature ‼ - @ianaya89 81
! Logging & Monitoring Security is not a feature ‼
- @ianaya89 82
! " Logging & Monitoring • ! Monitoring: datadog /
new relic • " Errors: sentry / bugsnag • # Logs: papertrail / loggly • $ Status: checkly / pingdom Security is not a feature ‼ - @ianaya89 83
! Sensitive Data Security is not a feature ‼ -
@ianaya89 84
Security is not a feature ‼ - @ianaya89 85
Security is not a feature ‼ - @ianaya89 86
! OWASP Top 10 owasp.org Security is not a feature
‼ - @ianaya89 87
! WebGoat $ docker pull webgoat/webgoat-8.0 $ docker run -p
8080:8080 -t webgoat/webgoat-8.0 Security is not a feature ‼ - @ianaya89 88
! Take Away Security is not a feature ‼ -
@ianaya89 89
Security is not a feature ‼ - @ianaya89 90
! Start taking care Security is not a feature ‼
- @ianaya89 91
! Security is not a feature ‼ - @ianaya89 92
! Thanks! ! Questions? ! @ianaya89 Security is not a
feature ‼ - @ianaya89 93