Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security is not a feature‼️
Search
Ignacio Anaya
February 27, 2021
Programming
2
500
Security is not a feature‼️
JS World 2021
Ignacio Anaya
February 27, 2021
Tweet
Share
More Decks by Ignacio Anaya
See All by Ignacio Anaya
Rompiendo Paradigmas Otra Vuez! 🔨📜3️⃣
ianaya89
0
140
Security is not a feature!
ianaya89
1
360
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
130
What's next in Vue 3? 🖖 3️⃣
ianaya89
0
290
Vue.js, PWA & The Subway Dilemma
ianaya89
0
200
PWA with PWF
ianaya89
0
69
Decentralizing the Web with JavaScript
ianaya89
0
140
hey-devs-time-to-care-about-web-apps-security.pdf
ianaya89
0
120
A Token Walks into SPA
ianaya89
0
590
Other Decks in Programming
See All in Programming
プログラミングどうやる? ~テスト駆動開発から学ぶ達人の型~
a_okui
0
190
CSC305 Lecture 04
javiergs
PRO
0
230
大規模アプリにおけるXcode Previews実用化までの道のり
ikesyo
0
970
Current States of Java Web Frameworks at JCConf 2025
kishida
0
540
Back to the Future: Let me tell you about the ACP protocol
terhechte
0
120
10年もののAPIサーバーにおけるCI/CDの改善の奮闘
mbook
0
640
いま中途半端なSwift 6対応をするより、Default ActorやApproachable Concurrencyを有効にしてからでいいんじゃない?
yimajo
2
230
Pythonスレッドとは結局何なのか? CPython実装から見るNoGIL時代の変化
curekoshimizu
4
1.1k
フロントエンド開発に役立つクライアントプログラム共通のノウハウ / Universal client-side programming best practices for frontend development
nrslib
7
3.8k
Pull-Requestの内容を1クリックで動作確認可能にするワークフロー
natmark
1
330
Reactをクライアントで使わない
yusukebe
7
6.3k
Build your own WebP codec in Swift
kishikawakatsumi
2
860
Featured
See All Featured
Fireside Chat
paigeccino
40
3.7k
How to Ace a Technical Interview
jacobian
280
23k
Large-scale JavaScript Application Architecture
addyosmani
513
110k
Reflections from 52 weeks, 52 projects
jeffersonlam
352
21k
The Straight Up "How To Draw Better" Workshop
denniskardys
237
140k
Documentation Writing (for coders)
carmenintech
75
5k
The World Runs on Bad Software
bkeepers
PRO
71
11k
How to Think Like a Performance Engineer
csswizardry
27
2k
Producing Creativity
orderedlist
PRO
347
40k
Context Engineering - Making Every Token Count
addyosmani
3
150
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
5.6k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
188
55k
Transcript
Security is not a feature !" Security is not a
feature ‼ - @ianaya89 1
! Nacho Anaya ! @ianaya89 • ! Lead OSS Engineer
@ChecklyHQ • " Ambassador @Auth0 • # Streaming @ianaya89 Security is not a feature ‼ - @ianaya89 2
! Security is not a feature ‼ - @ianaya89 3
!" Security is not a feature ‼ - @ianaya89 4
"There are two types of companies: those that have been
hacked, and those who don't know they have been hacked." John T. Chambers Security is not a feature ‼ - @ianaya89 5
! Security is not a feature ‼ - @ianaya89 6
! Security is not a feature ‼ - @ianaya89 7
Security is not a feature ‼ - @ianaya89 8
Security is not a feature ‼ - @ianaya89 9
Security is not a feature ‼ - @ianaya89 10
Security is not a feature ‼ - @ianaya89 11
! ~11.3 Billons informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks Security is not a feature ‼
- @ianaya89 12
Security is not a feature ‼ - @ianaya89 13
! Security is not a feature ‼ - @ianaya89 14
! ... ! Uneven Competition Security is not a feature
‼ - @ianaya89 15
! Security is not a feature ‼ - @ianaya89 16
! Lose Money Security is not a feature ‼ -
@ianaya89 17
! Lose Trust Security is not a feature ‼ -
@ianaya89 18
! Security is not a feature ‼ - @ianaya89 19
✍ Culture • ! Training • " Politics • ⏱
Time • $ Money % Security is not a feature ‼ - @ianaya89 20
"If you spend more on coffee than on IT security,
you will be hacked. What's more, you deserve to be hacked" Richard A. Clarke Security is not a feature ‼ - @ianaya89 21
! " Invest! Security is not a feature ‼ -
@ianaya89 22
! Security is not a feature ‼ - @ianaya89 23
! Systemic Thinking Security is not a feature ‼ -
@ianaya89 24
! Vulnerabilities Security is not a feature ‼ - @ianaya89
25
"Vulnerabilities are like ants, they are everywhere" Nacho Anaya Security
is not a feature ‼ - @ianaya89 26
Heartbleed Security is not a feature ‼ - @ianaya89 27
Security is not a feature ‼ - @ianaya89 28
! Web is Complex Security is not a feature ‼
- @ianaya89 29
! HTTP/S - WebSockets - DNS - TCP FTP -
IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature ‼ - @ianaya89 30
! Browsers too Security is not a feature ‼ -
@ianaya89 31
! HTML - CSS - JS Security is not a
feature ‼ - @ianaya89 32
! DOM - Geolocation - Multimedia Fetch - Web Sockets
- Storage Security is not a feature ‼ - @ianaya89 33
! Security is not a feature ‼ - @ianaya89 34
! The Solution Security is not a feature ‼ -
@ianaya89 35
! No perfect solution Security is not a feature ‼
- @ianaya89 36
! But we can be ready Security is not a
feature ‼ - @ianaya89 37
! Security is not a feature ‼ - @ianaya89 38
! Security is not "nice to have" Security is not
a feature ‼ - @ianaya89 39
! Security is by default Security is not a feature
‼ - @ianaya89 40
! Assume the worst Security is not a feature ‼
- @ianaya89 41
ALWAYS Security is not a feature ‼ - @ianaya89 42
! Your app is your bestie Security is not a
feature ‼ - @ianaya89 43
! Input vectors Security is not a feature ‼ -
@ianaya89 44
! Query String - URL Path - Request Body -
Cookies Request Headers - Form Fields - File Inputs Emails - Web Socket - Browser Storage - Hooks Security is not a feature ‼ - @ianaya89 45
⚠ Never trust your users Security is not a feature
‼ - @ianaya89 46
! Security is not a feature ‼ - @ianaya89 47
! HTTPS ! 2021 Security is not a feature ‼
- @ianaya89 48
Security is not a feature ‼ - @ianaya89 49
⬇ LTS Security is not a feature ‼ - @ianaya89
50
Dependencies Security is not a feature ‼ - @ianaya89 51
Security is not a feature ‼ - @ianaya89 52
! "Your code is not your code, but their bugs
are your bugs." Nacho Anaya Security is not a feature ‼ - @ianaya89 53
! eslint-scope eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes Security is not a feature ‼ -
@ianaya89 54
Security is not a feature ‼ - @ianaya89 55
Security is not a feature ‼ - @ianaya89 56
Security is not a feature ‼ - @ianaya89 57
! SQL / No-SQL Injection Security is not a feature
‼ - @ianaya89 58
Security is not a feature ‼ - @ianaya89 59
Security is not a feature ‼ - @ianaya89 60
! SQL / No-SQL Injection • ‼ Server Side Validation
• " Sanitize queries • # ORM / ODM Security is not a feature ‼ - @ianaya89 61
! XSS Security is not a feature ‼ - @ianaya89
62
Security is not a feature ‼ - @ianaya89 63
! XSS • ‼ Server Side Validation • " Sanitize
inputs • # HTML encoding • $ Frameworks • % HTTP Secure Response Headers Security is not a feature ‼ - @ianaya89 64
! XSS Headers - HSTS - HPKP - X-Frame-Options -
X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy ! Secure Headers Security is not a feature ‼ - @ianaya89 65
! DoS Security is not a feature ‼ - @ianaya89
66
Security is not a feature ‼ - @ianaya89 67
! DoS • ⌛ Rate Limiting • ❌ Error handling
• # Explicit Crashes • $ Exponential Regex • % IP Banning Security is not a feature ‼ - @ianaya89 68
! Sessions & Tokens Security is not a feature ‼
- @ianaya89 69
! Sessions & Tokens • ⏱ Expirable • " Allow
List or Deny List • # OAUTH - OpenID • $ Single Sign On Security is not a feature ‼ - @ianaya89 70
! Passwords Security is not a feature ‼ - @ianaya89
71
Time to crack Security is not a feature ‼ -
@ianaya89 72
! Passwords • ! hash + salt (bcrypt) • "
Strong Passwords (Entropy) • # 2FA / MFA Security is not a feature ‼ - @ianaya89 73
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature ‼ - @ianaya89 74
! " Have I been pawned? https://haveibeenpwned.com Security is not
a feature ‼ - @ianaya89 75
! " Have I been pawned? ! API & DB
Security is not a feature ‼ - @ianaya89 76
! Dev Passwords & Secrets • ! CI • "
Dev Tools • # Cloud • $ Keys - Tokens - Secrets Security is not a feature ‼ - @ianaya89 77
! Dev Passwords & Secrets • Blackbox • Keybase •
GPG • Password Managers • Secret Manager (AWS) • MFA ! Security is not a feature ‼ - @ianaya89 78
! Cookies Security is not a feature ‼ - @ianaya89
79
! " Cookies Flags • httpOnly • secure • SameSite
Security is not a feature ‼ - @ianaya89 80
! ↩ Cookies Scoping • domain • path • expires
Security is not a feature ‼ - @ianaya89 81
! Logging & Monitoring Security is not a feature ‼
- @ianaya89 82
! " Logging & Monitoring • ! Monitoring: datadog /
new relic • " Errors: sentry / bugsnag • # Logs: papertrail / loggly • $ Status: checkly / pingdom Security is not a feature ‼ - @ianaya89 83
! Sensitive Data Security is not a feature ‼ -
@ianaya89 84
Security is not a feature ‼ - @ianaya89 85
Security is not a feature ‼ - @ianaya89 86
! OWASP Top 10 owasp.org Security is not a feature
‼ - @ianaya89 87
! WebGoat $ docker pull webgoat/webgoat-8.0 $ docker run -p
8080:8080 -t webgoat/webgoat-8.0 Security is not a feature ‼ - @ianaya89 88
! Take Away Security is not a feature ‼ -
@ianaya89 89
Security is not a feature ‼ - @ianaya89 90
! Start taking care Security is not a feature ‼
- @ianaya89 91
! Security is not a feature ‼ - @ianaya89 92
! Thanks! ! Questions? ! @ianaya89 Security is not a
feature ‼ - @ianaya89 93