Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security design in web applications
Search
Jester
April 16, 2016
Technology
0
200
Security design in web applications
This is about Inner and Outer security in Web application
Jester
April 16, 2016
Tweet
Share
More Decks by Jester
See All by Jester
Ruby Chat Bots: Work and Fun together
jesterovskiy
0
57
Epic API Fight
jesterovskiy
0
86
Other Decks in Technology
See All in Technology
【Forkwell】「正しく」失敗できるチームを作る──現場のリーダーのための恐怖と不安を乗り越える技術 - FL#83 / A team that can fail correctly by forkwell
i35_267
2
160
開発者体験を定量的に把握する手法と活用事例
ham0215
0
150
AI自体のOps 〜LLMアプリの運用、AWSサービスとOSSの使い分け〜
minorun365
PRO
9
1.3k
Dify触ってみた。
niftycorp
PRO
0
110
Amazon Q Developerの無料利用枠を使い倒してHello worldを表示させよう!
nrinetcom
PRO
2
130
OCI Success Journey OCIの何が評価されてる?疑問に答える事例セミナー(2025年2月実施)
oracle4engineer
PRO
2
270
20250309 無冠のわたし これからどう先生きのこれる?
akiko_pusu
9
1.6k
"TEAM"を導入したら最高のエンジニア"Team"を実現できた / Deploying "TEAM" and Building the Best Engineering "Team"
yuj1osm
1
250
OPENLOGI Company Profile for engineer
hr01
1
21k
ライフステージの変化を乗り越える 探索型のキャリア選択
tenshoku_draft
2
360
“常に進化する”開発現場へ! SHIFTが語るアジャイルQAの未来/20250306 Yuma Murase
shift_evolve
0
160
あなたが人生で成功するための 5つの普遍的法則 #jawsug #jawsdays2025 / 20250301 HEROZ
yoshidashingo
2
470
Featured
See All Featured
How to Ace a Technical Interview
jacobian
276
23k
Why Our Code Smells
bkeepers
PRO
336
57k
Designing for Performance
lara
605
68k
RailsConf 2023
tenderlove
29
1k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
115
51k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
33
2.8k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
366
25k
Thoughts on Productivity
jonyablonski
69
4.5k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
49
2.3k
Being A Developer After 40
akosma
89
590k
How to train your dragon (web standard)
notwaldorf
91
5.9k
A better future with KSS
kneath
238
17k
Transcript
Security design in web applications
Aleksey Dashkevych RubyDev/SysAdmin twitter://dash_as facebook://aleksey.dashkevich github://jesterovskiy
“software has been designed from the ground up to be
secure” C.O. Secure by design
Outer Security Inner Security
Ideal Situation Real Life
None
None
None
User Outer Connection Application DB
User
Linux/OSX Firewall Secure PC White noise generator Ideal
Keep password in mind or use pass saver Make password
strong Change password each period of time Real Keep additional data (DOB, phone)
Connection
Cable VPN … Ideal
SSL SSL updates SRP protocol Real …
Application
Pure HTML Static pages … Ideal
CDN Authentification Authorization Real CRF, XSS
DB
Encryption Tape Drive backup Backup? … Ideal
Backup! Access rights bcrypt/scrypt Real Salt + Verifier (SRP protocol)
Inner Application
Storing API keys in ENV variables Access rights CI Real
Prod, Staging, Testing instances
Test coverage Verify SSL security Real Check libs source code
simplecov gem SSLLabs, DigiCert SSL Mutation testing mutant gem
Make logs simply accessible Security headers Styleguide Real secureheaders gem
rubocop gem Security Policy
Thank You is hiring =)
jesterovskiy
i35_267
ham0215
minorun365
niftycorp
nrinetcom
oracle4engineer
akiko_pusu
yuj1osm
hr01
tenshoku_draft
shift_evolve
yoshidashingo
jacobian
bkeepers
lara
tenderlove
aki_iinuma
rmw
cassininazir
jonyablonski
tammyeverts
akosma
notwaldorf
kneath
