Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security design in web applications
Search
Jester
April 16, 2016
Technology
0
190
Security design in web applications
This is about Inner and Outer security in Web application
Jester
April 16, 2016
Tweet
Share
More Decks by Jester
See All by Jester
Ruby Chat Bots: Work and Fun together
jesterovskiy
0
57
Epic API Fight
jesterovskiy
0
86
Other Decks in Technology
See All in Technology
Accessibility Inspectorを活用した アプリのアクセシビリティ向上方法
hinakko
0
110
Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024
tkmru
0
430
Evolving Architecture
rainerhahnekamp
3
220
スケールし続ける事業とサービスを支える組織とアーキテクチャの生き残り戦略 / The survival strategy for Money Forward’s engineering.
moneyforward
0
240
Azureの開発で辛いところ
re3turn
0
200
AWSの生成AIサービス Amazon Bedrock入門!(2025年1月版)
minorun365
PRO
7
380
C++26 エラー性動作
faithandbrave
2
880
ヤプリQA課題の見える化
gu3
0
150
OPENLOGI Company Profile for engineer
hr01
1
17k
mixi2 の技術スタックを探ってみる (アプリ編)
ichiki1023
0
110
20240522 - 躍遷創作理念 @ PicCollage Workshop
dpys
0
310
Fabric 移行時の躓きポイントと対応策
ohata_ds
1
130
Featured
See All Featured
What's in a price? How to price your products and services
michaelherold
244
12k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
How to train your dragon (web standard)
notwaldorf
88
5.8k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Imperfection Machines: The Place of Print at Facebook
scottboms
266
13k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
550
KATA
mclloyd
29
14k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
2
160
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
45
2.3k
How to Ace a Technical Interview
jacobian
276
23k
How STYLIGHT went responsive
nonsquared
96
5.3k
The Language of Interfaces
destraynor
155
24k
Transcript
Security design in web applications
Aleksey Dashkevych RubyDev/SysAdmin twitter://dash_as facebook://aleksey.dashkevich github://jesterovskiy
“software has been designed from the ground up to be
secure” C.O. Secure by design
Outer Security Inner Security
Ideal Situation Real Life
None
None
None
User Outer Connection Application DB
User
Linux/OSX Firewall Secure PC White noise generator Ideal
Keep password in mind or use pass saver Make password
strong Change password each period of time Real Keep additional data (DOB, phone)
Connection
Cable VPN … Ideal
SSL SSL updates SRP protocol Real …
Application
Pure HTML Static pages … Ideal
CDN Authentification Authorization Real CRF, XSS
DB
Encryption Tape Drive backup Backup? … Ideal
Backup! Access rights bcrypt/scrypt Real Salt + Verifier (SRP protocol)
Inner Application
Storing API keys in ENV variables Access rights CI Real
Prod, Staging, Testing instances
Test coverage Verify SSL security Real Check libs source code
simplecov gem SSLLabs, DigiCert SSL Mutation testing mutant gem
Make logs simply accessible Security headers Styleguide Real secureheaders gem
rubocop gem Security Policy
Thank You is hiring =)
jesterovskiy
hinakko
tkmru
rainerhahnekamp
moneyforward
re3turn
minorun365
faithandbrave
gu3
hr01
ichiki1023
dpys
ohata_ds
michaelherold
caitiem20
notwaldorf
samlambert
scottboms
tammyeverts
mclloyd
sergeychernyshev
jacobian
nonsquared
destraynor
