Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security design in web applications

Eda1654eec376ad5a305a3c6b47275e8?s=47 Jester
April 16, 2016
Technology
0
130

Security design in web applications

This is about Inner and Outer security in Web application

Eda1654eec376ad5a305a3c6b47275e8?s=128

Jester

April 16, 2016
Tweet

More Decks by Jester

See All by Jester
Ruby Chat Bots: Work and Fun together
Eda1654eec376ad5a305a3c6b47275e8?s=48 jesterovskiy
0
43
Epic API Fight
Eda1654eec376ad5a305a3c6b47275e8?s=48 jesterovskiy
0
73

Other Decks in Technology

See All in Technology
プロダクトグロースと技術のベースアップを両立させるRettyのアプリ開発スタイル / Achieve Product Growth and Tech Update
1a74617b91d2757b839b9cf3614648ce?s=48 imaizume
1
270
AWS Control TowerとAWS Organizationsを活用した組織におけるセキュリティ設定
F2ccc400e285972d80feab0e4e57b5f7?s=48 fu3ak1
2
620
srenext2022-skaru
B16717ef4b7aab0b253d933c3934f280?s=48 mixi_engineers
0
410
一人から始めるプロダクトSRE / How to start SRE in a product team, all by yourself
12a5cec7a54018170b1a009731acf477?s=48 vtryo
4
2.4k
モデリング、コンテキスト トランジション +1 / Data modeling
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
0
110
モダンデータスタックとかの話(データエンジニアのお仕事とは)
95be3c1812a3ae53c2d81cc7ea2eeb3d?s=48 foursue
0
320
スタートアップ入社4日目までに考えたAWSのセキュリティ向上/ Startup AWS Security
0b238801605070def81a98cfe8061aee?s=48 shonansurvivors
3
2.7k
アルプの 認証/認可分離戦略と手法
C6a8cb5e13aa716521d522471ec4e4cd?s=48 ma2k8
PRO
1
230
Kubernetesの上に作る、統一されたマイクロサービス運用体験
5292dd0924f5e440a4b7ff40b165a0b4?s=48 tkuchiki
1
750
LINEスタンプの実例紹介 小さく始める障害検知・対応・振り返りの 改善プラクティス
A3966f193f4bef226a0d3e3c1f728d7f?s=48 line_developers
PRO
3
1.3k
~スタートアップの人たちに捧ぐ~ 監視再入門 in AWS
Bf5ee9059859ed5d855b5ff4680e63e2?s=48 track3jyo
PRO
31
8.5k
プロダクション環境の信頼性を損ねず観測する技術
3baceb46dfe36422370df30b8eab61d1?s=48 egmc
4
330

Featured

See All Featured
A Modern Web Designer's Workflow
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
689
180k
Navigating Team Friction
245cee81a9c424266e5e401d844ea881?s=48 lara
175
11k
How STYLIGHT went responsive
F716e5f737fcfb03f2cf8d1a184f1dbe?s=48 nonsquared
85
3.9k
Visualization
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
124
11k
The Art of Programming - Codeland 2020
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
31
5.8k
Typedesign – Prime Four
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
33
1.3k
Building an army of robots
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
299
40k
Learning to Love Humans: Emotional Interface Design
5f50f94346fbcb23706f0707169317a4?s=48 aarron
261
37k
Optimizing for Happiness
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
365
63k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
237
19k
Rails Girls Zürich Keynote
24fc194843a71f10949be18d5a692682?s=48 gr2m
86
12k
Done Done
282d599b414022eba5096510f675b6e2?s=48 chrislema
174
14k

Transcript

  1. Security design in web applications

  2. Aleksey Dashkevych RubyDev/SysAdmin twitter://dash_as facebook://aleksey.dashkevich github://jesterovskiy

  3. “software has been designed from the ground up to be

    secure” C.O. Secure by design

  4. Outer Security Inner Security

  5. Ideal Situation Real Life

  6. None
  7. None
  8. None

  9. User Outer Connection Application DB

  10. User

  11. Linux/OSX Firewall Secure PC White noise generator Ideal

  12. Keep password in mind or use pass saver Make password

    strong Change password each period of time Real Keep additional data (DOB, phone)

  13. Connection

  14. Cable VPN … Ideal

  15. SSL SSL updates SRP protocol Real …

  16. Application

  17. Pure HTML Static pages … Ideal

  18. CDN Authentification Authorization Real CRF, XSS

  19. DB

  20. Encryption Tape Drive backup Backup? … Ideal

  21. Backup! Access rights bcrypt/scrypt Real Salt + Verifier (SRP protocol)

  22. Inner Application

  23. Storing API keys in ENV variables Access rights CI Real

    Prod, Staging, Testing instances

  24. Test coverage Verify SSL security Real Check libs source code

    simplecov gem SSLLabs, DigiCert SSL Mutation testing mutant gem

  25. Make logs simply accessible Security headers Styleguide Real secureheaders gem

    rubocop gem Security Policy

  26. Thank You is hiring =)