Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security design in web applications

Jester
April 16, 2016
Technology
0
180

Security design in web applications

This is about Inner and Outer security in Web application

Jester

April 16, 2016
Tweet

More Decks by Jester

See All by Jester
Ruby Chat Bots: Work and Fun together
jesterovskiy
0
55
Epic API Fight
jesterovskiy
0
84

Other Decks in Technology

See All in Technology
DevIO2024_レガシー運用からの脱却 -クラウド活用の実践事例とベストプラクティス-
jun2882
0
210
初中級者用如何使用backlog -VALE TUDOEDITION-
in0u
0
140
【基調講演】変える、今ここから ― IoTとAIで紡ぐ未来
soracom
PRO
0
320
技術負債による事業の失敗はなぜ起こるのか / Why do business failures due to technical debt occur?
i35_267
0
190
ACRiルーム最新情報とAMD GPUサーバーのご紹介
anjn
0
160
テスト・設計研修【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
170
推薦システムを本番導入する上で一番優先すべきだったこと~NewsPicks記事推薦機能の改善事例を元に~
morinota
0
130
データベース研修 分析向けSQL入門【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
110
サービスの持続的な成長と技術負債について
siva_official
PRO
10
4.4k
RAGのサービスをリリースして1年3ヶ月が経ちました
segavvy
4
950
スレットハンティングについて知っておきたいこと
hacket
0
130
ここがすごいよ! AWS Systems Manager!
saichan11
0
1.8k

Featured

See All Featured
Building Flexible Design Systems
yeseniaperezcruz
323
37k
Raft: Consensus for Rubyists
vanstee
134
6.5k
Typedesign – Prime Four
hannesfritz
37
2.2k
Practical Orchestrator
shlominoach
185
10k
It's Worth the Effort
3n
181
27k
Docker and Python
trallard
37
2.9k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
13
430
Bootstrapping a Software Product
garrettdimon
PRO
304
110k
Atom: Resistance is Futile
akmur
261
25k
Creatively Recalculating Your Daily Design Routine
revolveconf
214
11k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.9k
No one is an island. Learnings from fostering a developers community.
thoeni
17
2.8k

Transcript

  1. Security design in web applications

  2. Aleksey Dashkevych RubyDev/SysAdmin twitter://dash_as facebook://aleksey.dashkevich github://jesterovskiy

  3. “software has been designed from the ground up to be

    secure” C.O. Secure by design

  4. Outer Security Inner Security

  5. Ideal Situation Real Life

  6. None
  7. None
  8. None

  9. User Outer Connection Application DB

  10. User

  11. Linux/OSX Firewall Secure PC White noise generator Ideal

  12. Keep password in mind or use pass saver Make password

    strong Change password each period of time Real Keep additional data (DOB, phone)

  13. Connection

  14. Cable VPN … Ideal

  15. SSL SSL updates SRP protocol Real …

  16. Application

  17. Pure HTML Static pages … Ideal

  18. CDN Authentification Authorization Real CRF, XSS

  19. DB

  20. Encryption Tape Drive backup Backup? … Ideal

  21. Backup! Access rights bcrypt/scrypt Real Salt + Verifier (SRP protocol)

  22. Inner Application

  23. Storing API keys in ENV variables Access rights CI Real

    Prod, Staging, Testing instances

  24. Test coverage Verify SSL security Real Check libs source code

    simplecov gem SSLLabs, DigiCert SSL Mutation testing mutant gem

  25. Make logs simply accessible Security headers Styleguide Real secureheaders gem

    rubocop gem Security Policy

  26. Thank You is hiring =)