Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security design in web applications
Search
Jester
April 16, 2016
Technology
0
180
Security design in web applications
This is about Inner and Outer security in Web application
Jester
April 16, 2016
Tweet
Share
More Decks by Jester
See All by Jester
Ruby Chat Bots: Work and Fun together
jesterovskiy
0
55
Epic API Fight
jesterovskiy
0
84
Other Decks in Technology
See All in Technology
DevIO2024_レガシー運用からの脱却 -クラウド活用の実践事例とベストプラクティス-
jun2882
0
210
初中級者用如何使用backlog -VALE TUDOEDITION-
in0u
0
140
【基調講演】変える、今ここから ― IoTとAIで紡ぐ未来
soracom
PRO
0
320
技術負債による事業の失敗はなぜ起こるのか / Why do business failures due to technical debt occur?
i35_267
0
190
ACRiルーム最新情報とAMD GPUサーバーのご紹介
anjn
0
160
テスト・設計研修【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
170
推薦システムを本番導入する上で一番優先すべきだったこと~NewsPicks記事推薦機能の改善事例を元に~
morinota
0
130
データベース研修 分析向けSQL入門【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
110
サービスの持続的な成長と技術負債について
siva_official
PRO
10
4.4k
RAGのサービスをリリースして1年3ヶ月が経ちました
segavvy
4
950
スレットハンティングについて知っておきたいこと
hacket
0
130
ここがすごいよ! AWS Systems Manager!
saichan11
0
1.8k
Featured
See All Featured
Building Flexible Design Systems
yeseniaperezcruz
323
37k
Raft: Consensus for Rubyists
vanstee
134
6.5k
Typedesign – Prime Four
hannesfritz
37
2.2k
Practical Orchestrator
shlominoach
185
10k
It's Worth the Effort
3n
181
27k
Docker and Python
trallard
37
2.9k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
13
430
Bootstrapping a Software Product
garrettdimon
PRO
304
110k
Atom: Resistance is Futile
akmur
261
25k
Creatively Recalculating Your Daily Design Routine
revolveconf
214
11k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.9k
No one is an island. Learnings from fostering a developers community.
thoeni
17
2.8k
Transcript
Security design in web applications
Aleksey Dashkevych RubyDev/SysAdmin twitter://dash_as facebook://aleksey.dashkevich github://jesterovskiy
“software has been designed from the ground up to be
secure” C.O. Secure by design
Outer Security Inner Security
Ideal Situation Real Life
None
None
None
User Outer Connection Application DB
User
Linux/OSX Firewall Secure PC White noise generator Ideal
Keep password in mind or use pass saver Make password
strong Change password each period of time Real Keep additional data (DOB, phone)
Connection
Cable VPN … Ideal
SSL SSL updates SRP protocol Real …
Application
Pure HTML Static pages … Ideal
CDN Authentification Authorization Real CRF, XSS
DB
Encryption Tape Drive backup Backup? … Ideal
Backup! Access rights bcrypt/scrypt Real Salt + Verifier (SRP protocol)
Inner Application
Storing API keys in ENV variables Access rights CI Real
Prod, Staging, Testing instances
Test coverage Verify SSL security Real Check libs source code
simplecov gem SSLLabs, DigiCert SSL Mutation testing mutant gem
Make logs simply accessible Security headers Styleguide Real secureheaders gem
rubocop gem Security Policy
Thank You is hiring =)