Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security is not a feature‼️
Search
Ignacio Anaya
February 27, 2021
Programming
2
410
Security is not a feature‼️
JS World 2021
Ignacio Anaya
February 27, 2021
Tweet
Share
More Decks by Ignacio Anaya
See All by Ignacio Anaya
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
110
Security is not a feature!
ianaya89
1
310
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
85
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
230
Vue.js, PWA & The Subway Dilemma
ianaya89
0
140
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
95
hey-devs-time-to-care-about-web-apps-security.pdf
ianaya89
0
70
A Token Walks into SPA
ianaya89
0
490
Other Decks in Programming
See All in Programming
エンターテイメント業界で利用されるAWS
demuyan
0
200
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
4
340
Folding Cheat Sheet #3
philipschwarz
PRO
0
120
Git Rebase
bkuhlmann
11
1.6k
今の SmartHR にエンジニアで入社するとどうなるの?
daisukeshinoku
5
4.6k
Netty Chicago Java User Group 2024-04-17
sullis
0
140
サイコロで理解する統計的仮説検定の考え方
tatamiya
2
250
ログラスを支える設計標準について / loglass-design-standards
urmot
10
2.1k
Semantic search with Django and pgvector
pauloxnet
0
240
PostmanでAPIの動作確認が楽になった話
h455h1
0
140
Git Lint
bkuhlmann
4
740
Java 22 Overview
kishida
1
170
Featured
See All Featured
Building Adaptive Systems
keathley
30
1.9k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Rails Girls Zürich Keynote
gr2m
91
13k
How to train your dragon (web standard)
notwaldorf
72
5.1k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
243
20k
Debugging Ruby Performance
tmm1
70
11k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Atom: Resistance is Futile
akmur
258
25k
Faster Mobile Websites
deanohume
297
30k
Facilitating Awesome Meetings
lara
41
5.6k
How GitHub (no longer) Works
holman
304
140k
Code Reviewing Like a Champion
maltzj
513
39k
Transcript
Security is not a feature !" Security is not a
feature ‼ - @ianaya89 1
! Nacho Anaya ! @ianaya89 • ! Lead OSS Engineer
@ChecklyHQ • " Ambassador @Auth0 • # Streaming @ianaya89 Security is not a feature ‼ - @ianaya89 2
! Security is not a feature ‼ - @ianaya89 3
!" Security is not a feature ‼ - @ianaya89 4
"There are two types of companies: those that have been
hacked, and those who don't know they have been hacked." John T. Chambers Security is not a feature ‼ - @ianaya89 5
! Security is not a feature ‼ - @ianaya89 6
! Security is not a feature ‼ - @ianaya89 7
Security is not a feature ‼ - @ianaya89 8
Security is not a feature ‼ - @ianaya89 9
Security is not a feature ‼ - @ianaya89 10
Security is not a feature ‼ - @ianaya89 11
! ~11.3 Billons informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks Security is not a feature ‼
- @ianaya89 12
Security is not a feature ‼ - @ianaya89 13
! Security is not a feature ‼ - @ianaya89 14
! ... ! Uneven Competition Security is not a feature
‼ - @ianaya89 15
! Security is not a feature ‼ - @ianaya89 16
! Lose Money Security is not a feature ‼ -
@ianaya89 17
! Lose Trust Security is not a feature ‼ -
@ianaya89 18
! Security is not a feature ‼ - @ianaya89 19
✍ Culture • ! Training • " Politics • ⏱
Time • $ Money % Security is not a feature ‼ - @ianaya89 20
"If you spend more on coffee than on IT security,
you will be hacked. What's more, you deserve to be hacked" Richard A. Clarke Security is not a feature ‼ - @ianaya89 21
! " Invest! Security is not a feature ‼ -
@ianaya89 22
! Security is not a feature ‼ - @ianaya89 23
! Systemic Thinking Security is not a feature ‼ -
@ianaya89 24
! Vulnerabilities Security is not a feature ‼ - @ianaya89
25
"Vulnerabilities are like ants, they are everywhere" Nacho Anaya Security
is not a feature ‼ - @ianaya89 26
Heartbleed Security is not a feature ‼ - @ianaya89 27
Security is not a feature ‼ - @ianaya89 28
! Web is Complex Security is not a feature ‼
- @ianaya89 29
! HTTP/S - WebSockets - DNS - TCP FTP -
IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature ‼ - @ianaya89 30
! Browsers too Security is not a feature ‼ -
@ianaya89 31
! HTML - CSS - JS Security is not a
feature ‼ - @ianaya89 32
! DOM - Geolocation - Multimedia Fetch - Web Sockets
- Storage Security is not a feature ‼ - @ianaya89 33
! Security is not a feature ‼ - @ianaya89 34
! The Solution Security is not a feature ‼ -
@ianaya89 35
! No perfect solution Security is not a feature ‼
- @ianaya89 36
! But we can be ready Security is not a
feature ‼ - @ianaya89 37
! Security is not a feature ‼ - @ianaya89 38
! Security is not "nice to have" Security is not
a feature ‼ - @ianaya89 39
! Security is by default Security is not a feature
‼ - @ianaya89 40
! Assume the worst Security is not a feature ‼
- @ianaya89 41
ALWAYS Security is not a feature ‼ - @ianaya89 42
! Your app is your bestie Security is not a
feature ‼ - @ianaya89 43
! Input vectors Security is not a feature ‼ -
@ianaya89 44
! Query String - URL Path - Request Body -
Cookies Request Headers - Form Fields - File Inputs Emails - Web Socket - Browser Storage - Hooks Security is not a feature ‼ - @ianaya89 45
⚠ Never trust your users Security is not a feature
‼ - @ianaya89 46
! Security is not a feature ‼ - @ianaya89 47
! HTTPS ! 2021 Security is not a feature ‼
- @ianaya89 48
Security is not a feature ‼ - @ianaya89 49
⬇ LTS Security is not a feature ‼ - @ianaya89
50
Dependencies Security is not a feature ‼ - @ianaya89 51
Security is not a feature ‼ - @ianaya89 52
! "Your code is not your code, but their bugs
are your bugs." Nacho Anaya Security is not a feature ‼ - @ianaya89 53
! eslint-scope eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes Security is not a feature ‼ -
@ianaya89 54
Security is not a feature ‼ - @ianaya89 55
Security is not a feature ‼ - @ianaya89 56
Security is not a feature ‼ - @ianaya89 57
! SQL / No-SQL Injection Security is not a feature
‼ - @ianaya89 58
Security is not a feature ‼ - @ianaya89 59
Security is not a feature ‼ - @ianaya89 60
! SQL / No-SQL Injection • ‼ Server Side Validation
• " Sanitize queries • # ORM / ODM Security is not a feature ‼ - @ianaya89 61
! XSS Security is not a feature ‼ - @ianaya89
62
Security is not a feature ‼ - @ianaya89 63
! XSS • ‼ Server Side Validation • " Sanitize
inputs • # HTML encoding • $ Frameworks • % HTTP Secure Response Headers Security is not a feature ‼ - @ianaya89 64
! XSS Headers - HSTS - HPKP - X-Frame-Options -
X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy ! Secure Headers Security is not a feature ‼ - @ianaya89 65
! DoS Security is not a feature ‼ - @ianaya89
66
Security is not a feature ‼ - @ianaya89 67
! DoS • ⌛ Rate Limiting • ❌ Error handling
• # Explicit Crashes • $ Exponential Regex • % IP Banning Security is not a feature ‼ - @ianaya89 68
! Sessions & Tokens Security is not a feature ‼
- @ianaya89 69
! Sessions & Tokens • ⏱ Expirable • " Allow
List or Deny List • # OAUTH - OpenID • $ Single Sign On Security is not a feature ‼ - @ianaya89 70
! Passwords Security is not a feature ‼ - @ianaya89
71
Time to crack Security is not a feature ‼ -
@ianaya89 72
! Passwords • ! hash + salt (bcrypt) • "
Strong Passwords (Entropy) • # 2FA / MFA Security is not a feature ‼ - @ianaya89 73
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature ‼ - @ianaya89 74
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature ‼ - @ianaya89 75
! " Have I been pawned? ! API & DB
Security is not a feature ‼ - @ianaya89 76
! Dev Passwords & Secrets • ! CI • "
Dev Tools • # Cloud • $ Keys - Tokens - Secrets Security is not a feature ‼ - @ianaya89 77
! Dev Passwords & Secrets • Blackbox • Keybase •
GPG • Password Managers • Secret Manager (AWS) • MFA ! Security is not a feature ‼ - @ianaya89 78
! Cookies Security is not a feature ‼ - @ianaya89
79
! " Cookies Flags • httpOnly • secure • SameSite
Security is not a feature ‼ - @ianaya89 80
! ↩ Cookies Scoping • domain • path • expires
Security is not a feature ‼ - @ianaya89 81
! Logging & Monitoring Security is not a feature ‼
- @ianaya89 82
! " Logging & Monitoring • ! Monitoring: datadog /
new relic • " Errors: sentry / bugsnag • # Logs: papertrail / loggly • $ Status: checkly / pingdom Security is not a feature ‼ - @ianaya89 83
! Sensitive Data Security is not a feature ‼ -
@ianaya89 84
Security is not a feature ‼ - @ianaya89 85
Security is not a feature ‼ - @ianaya89 86
! OWASP Top 10 owasp.org Security is not a feature
‼ - @ianaya89 87
! WebGoat $ docker pull webgoat/webgoat-8.0 $ docker run -p
8080:8080 -t webgoat/webgoat-8.0 Security is not a feature ‼ - @ianaya89 88
! Take Away Security is not a feature ‼ -
@ianaya89 89
Security is not a feature ‼ - @ianaya89 90
! Start taking care Security is not a feature ‼
- @ianaya89 91
! Security is not a feature ‼ - @ianaya89 92
! Thanks! ! Questions? ! @ianaya89 Security is not a
feature ‼ - @ianaya89 93