Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security design in web applications
Search
Jester
April 16, 2016
Technology
0
210
Security design in web applications
This is about Inner and Outer security in Web application
Jester
April 16, 2016
Tweet
Share
More Decks by Jester
See All by Jester
Ruby Chat Bots: Work and Fun together
jesterovskiy
0
57
Epic API Fight
jesterovskiy
0
87
Other Decks in Technology
See All in Technology
Maintainer Meetupで「生の声」を聞く ~講演だけじゃないKubeCon
logica0419
0
120
“日本一のM&A企業”を支える、少人数SREの効率化戦略 / SRE NEXT 2025
genda
1
280
毎晩の 負荷試験自動実行による効果
recruitengineers
PRO
5
190
SREのためのeBPF活用ステップアップガイド
egmc
2
1.3k
低レイヤソフトウェア技術者が YouTuberとして食っていこうとした話
sat
PRO
6
5.1k
AIでテストプロセス自動化に挑戦する
sakatakazunori
1
560
第64回コンピュータビジョン勉強会「The PanAf-FGBG Dataset: Understanding the Impact of Backgrounds in Wildlife Behaviour Recognition」
x_ttyszk
0
250
AWS Well-Architected から考えるオブザーバビリティの勘所 / Considering the Essentials of Observability from AWS Well-Architected
sms_tech
1
440
CDK Vibe Coding Fes
tomoki10
1
640
TROCCO今昔
gtnao
0
100
Introduction to Sansan for Engineers / エンジニア向け会社紹介
sansan33
PRO
5
39k
スタックチャン家庭用アシスタントへの道
kanekoh
0
130
Featured
See All Featured
The Invisible Side of Design
smashingmag
301
51k
It's Worth the Effort
3n
185
28k
BBQ
matthewcrist
89
9.7k
Practical Orchestrator
shlominoach
189
11k
The Pragmatic Product Professional
lauravandoore
35
6.7k
Intergalactic Javascript Robots from Outer Space
tanoku
271
27k
Optimizing for Happiness
mojombo
379
70k
Documentation Writing (for coders)
carmenintech
72
4.9k
Raft: Consensus for Rubyists
vanstee
140
7k
Git: the NoSQL Database
bkeepers
PRO
430
65k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.4k
Transcript
Security design in web applications
Aleksey Dashkevych RubyDev/SysAdmin twitter://dash_as facebook://aleksey.dashkevich github://jesterovskiy
“software has been designed from the ground up to be
secure” C.O. Secure by design
Outer Security Inner Security
Ideal Situation Real Life
None
None
None
User Outer Connection Application DB
User
Linux/OSX Firewall Secure PC White noise generator Ideal
Keep password in mind or use pass saver Make password
strong Change password each period of time Real Keep additional data (DOB, phone)
Connection
Cable VPN … Ideal
SSL SSL updates SRP protocol Real …
Application
Pure HTML Static pages … Ideal
CDN Authentification Authorization Real CRF, XSS
DB
Encryption Tape Drive backup Backup? … Ideal
Backup! Access rights bcrypt/scrypt Real Salt + Verifier (SRP protocol)
Inner Application
Storing API keys in ENV variables Access rights CI Real
Prod, Staging, Testing instances
Test coverage Verify SSL security Real Check libs source code
simplecov gem SSLLabs, DigiCert SSL Mutation testing mutant gem
Make logs simply accessible Security headers Styleguide Real secureheaders gem
rubocop gem Security Policy
Thank You is hiring =)