Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security design in web applications
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Jester
April 16, 2016
Technology
240
0
Share
Security design in web applications
This is about Inner and Outer security in Web application
Jester
April 16, 2016
More Decks by Jester
See All by Jester
Ruby Chat Bots: Work and Fun together
jesterovskiy
0
67
Epic API Fight
jesterovskiy
0
97
Other Decks in Technology
See All in Technology
データモデリング通り #5オンライン勉強会: AIに『ビジネスの文脈』を教え込むデータモデリング
datayokocho
0
190
サンプリングは「作る」のか「使う」のか? 分散トレースのコストと運用を両立する実践的戦略 / Why you need the tail sampling and why you don't want it
ymotongpoo
3
120
知ってた?JavaScriptの"正しさ"を検証するテストが5万以上もあること(Test262)
riyaamemiya
1
150
ボトムアップ限界を越える - 20チームを束る "Drive Map" / Beyond Bottom-Up: A 'Drive Map' for 20 Teams
kaonavi
0
140
「強制アップデート」か「チームの自律」か?エンタープライズが辿り着いたプラットフォームのハイブリッド運用/cloudnative-kaigi-hybrid-platform-operations
mhrtech
0
120
AI時代の品質はテストプロセスの作り直し #scrumniigata
kyonmm
PRO
4
1.4k
GKE Agent SandboxでAIが生成したコードを 安全に実行してみた
lamaglama39
0
210
EMから幅を広げるために最近挑戦していること / Recent challenges I'm undertaking to expand my horizons beyond EM
hiro_torii
1
180
大学職員のための生成AI最前線 :最前線を、AIガバナンスとして読み直すためのTips
gmoriki
2
3.8k
20260513_生成AIを専属DSに_AI分析結果の検品テクニック_ハンズオン_交通事故データ
doradora09
PRO
0
210
「誰一人取り残されない」 AIエージェント時代のプロダクト設計思想 Product Management Summit 2026
mizushimac
1
3k
SLI/SLO、「完全に理解した」から「チョットデキル」へ
maruloop
1
130
Featured
See All Featured
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.7k
Making the Leap to Tech Lead
cromwellryan
135
9.8k
Avoiding the “Bad Training, Faster” Trap in the Age of AI
tmiket
0
140
Raft: Consensus for Rubyists
vanstee
141
7.4k
How to Grow Your eCommerce with AI & Automation
katarinadahlin
PRO
1
180
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
210
How to audit for AI Accessibility on your Front & Back End
davetheseo
0
360
WCS-LA-2024
lcolladotor
0
570
Prompt Engineering for Job Search
mfonobong
0
290
What Being in a Rock Band Can Teach Us About Real World SEO
427marketing
0
220
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.4k
The Illustrated Children's Guide to Kubernetes
chrisshort
51
52k
Transcript
Security design in web applications
Aleksey Dashkevych RubyDev/SysAdmin twitter://dash_as facebook://aleksey.dashkevich github://jesterovskiy
“software has been designed from the ground up to be
secure” C.O. Secure by design
Outer Security Inner Security
Ideal Situation Real Life
None
None
None
User Outer Connection Application DB
User
Linux/OSX Firewall Secure PC White noise generator Ideal
Keep password in mind or use pass saver Make password
strong Change password each period of time Real Keep additional data (DOB, phone)
Connection
Cable VPN … Ideal
SSL SSL updates SRP protocol Real …
Application
Pure HTML Static pages … Ideal
CDN Authentification Authorization Real CRF, XSS
DB
Encryption Tape Drive backup Backup? … Ideal
Backup! Access rights bcrypt/scrypt Real Salt + Verifier (SRP protocol)
Inner Application
Storing API keys in ENV variables Access rights CI Real
Prod, Staging, Testing instances
Test coverage Verify SSL security Real Check libs source code
simplecov gem SSLLabs, DigiCert SSL Mutation testing mutant gem
Make logs simply accessible Security headers Styleguide Real secureheaders gem
rubocop gem Security Policy
Thank You is hiring =)
jesterovskiy
datayokocho
ymotongpoo
riyaamemiya
kaonavi
mhrtech
kyonmm
.jpg){kind=avatar}
lamaglama39
.jpg){kind=avatar}
hiro_torii
gmoriki
doradora09
mizushimac
maruloop
thoeni
cromwellryan
tmiket
vanstee
katarinadahlin
nikkihalliwell
davetheseo
lcolladotor
mfonobong
427marketing
marcduiker
chrisshort
