Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security design in web applications
Search
Jester
April 16, 2016
Technology
240
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Security design in web applications
This is about Inner and Outer security in Web application
Jester
April 16, 2016
More Decks by Jester
See All by Jester
Ruby Chat Bots: Work and Fun together
jesterovskiy
0
67
Epic API Fight
jesterovskiy
0
100
Other Decks in Technology
See All in Technology
【NRUG vol.18】なぜ多くのオブザーバビリティ導入は失敗するのか
nrug_member
0
140
【セミナー資料】Claude Code をセキュアに使うための考え方と設定の勘どころ / Claude Code Webinar 20260616
masahirokawahara
2
350
SONiCの統計情報を取得したい
sonic
0
180
なぜ Platform Engineering の土台に Kubernetes を選ぶのか
r4ynode
2
640
AIエージェントが名古屋の猛暑からあなたを守る
happysamurai294
0
120
アジャイルな経理と Claude Code と 経営の未来
kawaguti
PRO
3
110
GitHub Copilot 最新アップデート – 「一歩先」の実践活用術
moulongzhang
4
980
Disciplined Vibes: Scaling AI-Assisted Engineering
sheharyar
0
150
いまさら聞けない「仕様駆動開発入門」 〜AI活用時代の開発プロセスを考える〜
findy_eventslides
2
120
【NRUG vol.18】KubernetesにおけるNew Relicデータ取得量削減の考え方
nrug_member
0
130
Oracle AI Database@Google Cloud:サービス概要のご紹介
oracle4engineer
PRO
6
1.5k
Bucharest Tech Week 2026 - Reinventing testing practices in the AI era
edeandrea
PRO
1
160
Featured
See All Featured
For a Future-Friendly Web
brad_frost
183
10k
A better future with KSS
kneath
240
18k
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
240
How to Build an AI Search Optimization Roadmap - Criteria and Steps to Take #SEOIRL
aleyda
1
2.1k
Designing for Timeless Needs
cassininazir
1
250
Designing for Performance
lara
611
70k
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
11k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.5k
Site-Speed That Sticks
csswizardry
13
1.2k
Why You Should Never Use an ORM
jnunemaker
PRO
61
9.9k
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
davidcarrasco
0
160
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
baasie
0
580
Transcript
Security design in web applications
Aleksey Dashkevych RubyDev/SysAdmin twitter://dash_as facebook://aleksey.dashkevich github://jesterovskiy
“software has been designed from the ground up to be
secure” C.O. Secure by design
Outer Security Inner Security
Ideal Situation Real Life
None
None
None
User Outer Connection Application DB
User
Linux/OSX Firewall Secure PC White noise generator Ideal
Keep password in mind or use pass saver Make password
strong Change password each period of time Real Keep additional data (DOB, phone)
Connection
Cable VPN … Ideal
SSL SSL updates SRP protocol Real …
Application
Pure HTML Static pages … Ideal
CDN Authentification Authorization Real CRF, XSS
DB
Encryption Tape Drive backup Backup? … Ideal
Backup! Access rights bcrypt/scrypt Real Salt + Verifier (SRP protocol)
Inner Application
Storing API keys in ENV variables Access rights CI Real
Prod, Staging, Testing instances
Test coverage Verify SSL security Real Check libs source code
simplecov gem SSLLabs, DigiCert SSL Mutation testing mutant gem
Make logs simply accessible Security headers Styleguide Real secureheaders gem
rubocop gem Security Policy
Thank You is hiring =)
jesterovskiy
nrug_member
masahirokawahara
sonic
r4ynode
happysamurai294
kawaguti
moulongzhang
sheharyar
findy_eventslides
oracle4engineer
edeandrea
brad_frost
kneath
nikkihalliwell
aleyda
cassininazir
lara
rmw
csswizardry
jnunemaker
davidcarrasco
baasie
