$30 off During Our Annual Pro Sale. View Details »

Security design in web applications

Jester
April 16, 2016
Technology
0
180

Security design in web applications

This is about Inner and Outer security in Web application

Jester

April 16, 2016
Tweet

More Decks by Jester

See All by Jester
Ruby Chat Bots: Work and Fun together
jesterovskiy
0
52
Epic API Fight
jesterovskiy
0
80

Other Decks in Technology

See All in Technology
更新”しない”ドキュメント管理 「イミュータブルドキュメントモデル」の実運用
kosui
11
1.6k
AI Transformation に向けた Microsoft Copilot Stack と Data 戦略
dahatake
1
300
生成AIでシステム開発はどう変わるか
etaroid
19
7.9k
Repro の開発組織体制の変遷そして Platform Engineering / Platform Engineering Meetup #6
a_bicky
3
820
「成長サイクル」でVUCAの時代を乗りこなす
ar_tama
1
230
継続的なコツコツ技術広報とブランディング磨き込みの過程と課題/engineering-brand
nishiuma
0
110
エンタープライズSaaSへの挑戦〜顧客の事業を成長させるプロダクトマネジメントとは?〜 / pmconf2023
route06
2
1.1k
DMMオンラインサロン エンジニア採用資料/ for-software-engineers
onlinesalon
0
3.6k
AI・機械学習ライブラリを使ったWebアプリでワクワク体験! / Qiita Night~AI、機械学習 / 20231201
you
PRO
1
1.5k
reInvent2023のセキュリティまとめしてGuardDutyQとコストの話します
cmusudakeisuke
0
250
合宿はいいぞ / Training camp is so good.
okamototakuyasr2
0
120
開発組織の体制づくり、いつやるか問題
akiroom
0
2k

Featured

See All Featured
How GitHub (no longer) Works
holman
299
140k
Building Applications with DynamoDB
mza
87
5.3k
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.3k
Embracing the Ebb and Flow
colly
77
3.9k
Thoughts on Productivity
jonyablonski
55
3.5k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
219
21k
Typedesign – Prime Four
hannesfritz
35
1.8k
Large-scale JavaScript Application Architecture
addyosmani
501
110k
Bash Introduction
62gerente
603
210k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6.2k
Build your cross-platform service in a week with App Engine
jlugia
223
17k
10 Git Anti Patterns You Should be Aware of
lemiorhan
645
57k

Transcript

  1. Security
    design
    in web applications

    View Slide

  2. Aleksey Dashkevych
    RubyDev/SysAdmin
    twitter://dash_as
    facebook://aleksey.dashkevich
    github://jesterovskiy

    View Slide

  3. “software has
    been designed
    from the ground
    up to be secure”
    C.O.
    Secure
    by design

    View Slide

  4. Outer
    Security
    Inner
    Security

    View Slide

  5. Ideal
    Situation
    Real
    Life

    View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. User
    Outer
    Connection
    Application
    DB

    View Slide

  10. User

    View Slide

  11. Linux/OSX
    Firewall
    Secure PC
    White noise
    generator
    Ideal

    View Slide

  12. Keep password
    in mind or use
    pass saver
    Make password
    strong
    Change password
    each period of time
    Real
    Keep additional
    data (DOB, phone)

    View Slide

  13. Connection

    View Slide

  14. Cable
    VPN

    Ideal

    View Slide

  15. SSL
    SSL updates
    SRP protocol
    Real

    View Slide

  16. Application

    View Slide

  17. Pure HTML
    Static pages

    Ideal

    View Slide

  18. CDN
    Authentification
    Authorization
    Real
    CRF, XSS

    View Slide

  19. DB

    View Slide

  20. Encryption
    Tape Drive
    backup
    Backup?

    Ideal

    View Slide

  21. Backup!
    Access rights
    bcrypt/scrypt
    Real
    Salt + Verifier
    (SRP protocol)

    View Slide

  22. Inner Application

    View Slide

  23. Storing API keys
    in ENV variables
    Access rights
    CI
    Real
    Prod, Staging,
    Testing instances

    View Slide

  24. Test coverage
    Verify SSL security
    Real
    Check libs source
    code
    simplecov gem
    SSLLabs, DigiCert SSL
    Mutation testing
    mutant gem

    View Slide

  25. Make logs simply
    accessible
    Security headers
    Styleguide
    Real
    secureheaders gem
    rubocop gem
    Security Policy

    View Slide

  26. Thank
    You is hiring =)

    View Slide