Security design in web applications

Transcript

1. Security design in web applications

2. Aleksey Dashkevych RubyDev/SysAdmin twitter://dash_as facebook://aleksey.dashkevich github://jesterovskiy

3. “software has been designed from the ground up to be

   secure” C.O. Secure by design

4. Outer Security Inner Security

5. Ideal Situation Real Life

6. None
7. None
8. None

9. User Outer Connection Application DB

10. User

11. Linux/OSX Firewall Secure PC White noise generator Ideal

12. Keep password in mind or use pass saver Make password

    strong Change password each period of time Real Keep additional data (DOB, phone)

13. Connection

14. Cable VPN … Ideal

15. SSL SSL updates SRP protocol Real …

16. Application

17. Pure HTML Static pages … Ideal

18. CDN Authentification Authorization Real CRF, XSS

19. DB

20. Encryption Tape Drive backup Backup? … Ideal

21. Backup! Access rights bcrypt/scrypt Real Salt + Verifier (SRP protocol)

22. Inner Application

23. Storing API keys in ENV variables Access rights CI Real

    Prod, Staging, Testing instances

24. Test coverage Verify SSL security Real Check libs source code

    simplecov gem SSLLabs, DigiCert SSL Mutation testing mutant gem

25. Make logs simply accessible Security headers Styleguide Real secureheaders gem

    rubocop gem Security Policy

26. Thank You is hiring =)