This is about Inner and Outer security in Web application
Securitydesignin web applications
View Slide
Aleksey DashkevychRubyDev/SysAdmintwitter://dash_asfacebook://aleksey.dashkevichgithub://jesterovskiy
“software hasbeen designedfrom the groundup to be secure”C.O.Secureby design
OuterSecurityInnerSecurity
IdealSituationRealLife
UserOuterConnectionApplicationDB
User
Linux/OSXFirewallSecure PCWhite noisegeneratorIdeal
Keep passwordin mind or usepass saverMake passwordstrongChange passwordeach period of timeRealKeep additionaldata (DOB, phone)
Connection
CableVPN…Ideal
SSLSSL updatesSRP protocolReal…
Application
Pure HTMLStatic pages…Ideal
CDNAuthentificationAuthorizationRealCRF, XSS
DB
EncryptionTape DrivebackupBackup?…Ideal
Backup!Access rightsbcrypt/scryptRealSalt + Verifier(SRP protocol)
Inner Application
Storing API keysin ENV variablesAccess rightsCIRealProd, Staging,Testing instances
Test coverageVerify SSL securityRealCheck libs sourcecodesimplecov gemSSLLabs, DigiCert SSLMutation testingmutant gem
Make logs simplyaccessibleSecurity headersStyleguideRealsecureheaders gemrubocop gemSecurity Policy
ThankYou is hiring =)