$30 off During Our Annual Pro Sale. View Details »

Security design in web applications

Jester
April 16, 2016

Security design in web applications

This is about Inner and Outer security in Web application

Jester

April 16, 2016
Tweet

More Decks by Jester

Other Decks in Technology

Transcript

  1. Security
    design
    in web applications

    View Slide

  2. Aleksey Dashkevych
    RubyDev/SysAdmin
    twitter://dash_as
    facebook://aleksey.dashkevich
    github://jesterovskiy

    View Slide

  3. “software has
    been designed
    from the ground
    up to be secure”
    C.O.
    Secure
    by design

    View Slide

  4. Outer
    Security
    Inner
    Security

    View Slide

  5. Ideal
    Situation
    Real
    Life

    View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. User
    Outer
    Connection
    Application
    DB

    View Slide

  10. User

    View Slide

  11. Linux/OSX
    Firewall
    Secure PC
    White noise
    generator
    Ideal

    View Slide

  12. Keep password
    in mind or use
    pass saver
    Make password
    strong
    Change password
    each period of time
    Real
    Keep additional
    data (DOB, phone)

    View Slide

  13. Connection

    View Slide

  14. Cable
    VPN

    Ideal

    View Slide

  15. SSL
    SSL updates
    SRP protocol
    Real

    View Slide

  16. Application

    View Slide

  17. Pure HTML
    Static pages

    Ideal

    View Slide

  18. CDN
    Authentification
    Authorization
    Real
    CRF, XSS

    View Slide

  19. DB

    View Slide

  20. Encryption
    Tape Drive
    backup
    Backup?

    Ideal

    View Slide

  21. Backup!
    Access rights
    bcrypt/scrypt
    Real
    Salt + Verifier
    (SRP protocol)

    View Slide

  22. Inner Application

    View Slide

  23. Storing API keys
    in ENV variables
    Access rights
    CI
    Real
    Prod, Staging,
    Testing instances

    View Slide

  24. Test coverage
    Verify SSL security
    Real
    Check libs source
    code
    simplecov gem
    SSLLabs, DigiCert SSL
    Mutation testing
    mutant gem

    View Slide

  25. Make logs simply
    accessible
    Security headers
    Styleguide
    Real
    secureheaders gem
    rubocop gem
    Security Policy

    View Slide

  26. Thank
    You is hiring =)

    View Slide