there is no silver bullet Henri Watson 

Which  vulnerabili.es  commonly   affect  web  applica.ons  in  the   Dominican  Republic?   

No  HTTPS   

Using  HTTPS  won’t  cost  you   an  arm  and  a  leg.   

The  current  proposal  for   HTTP/2.0  requires  TLS.   

If  you  decide  to  use  HTTPS,   also  use  Strict-­‐Transport-­‐Security   and  ssllabs.com/ssltest   

SQL  Injec.ons   

GET  /tracker?order=12345”;   DROP  TABLE  orders;-­‐-­‐   SELECT  *  FROM  orders  WHERE  order  =  “12345”;   DROP  TABLE  orders;-­‐-­‐”  AND  status  =  “pending”   Request  from   the  client  to  the  server   Request  from  the   webserver  to  the  database   

No content

No content

No content

Authen.ca.on  Implementa.on   Mistakes   

No content

No content

Cross-­‐Site  Scrip.ng  (XSS)   

GET  /hi?name=   Hello,  !   Request  from   the  client  to  the  server   Reply  from   the  server  to  the  client   

Content-­‐Security-­‐Policy   

Exposure  of  Sensi.ve  Data   

No content

Using  Components  With   Known  Vulnerabili.es   

Mailing  Lists   •  bugtraq   hep://www.securityfocus.com/archive/1   •  debian-­‐security-­‐announce   heps://lists.debian.org/debian-­‐security-­‐announce/   •  fulldisclosure   hep://nmap.org/mailman/lis.nfo/fulldisclosure   

Mailing  Lists   •  [email protected]   heps://hepd.apache.org/lists.html#hep-­‐announce   •  nginx-­‐announce   hep://mailman.nginx.org/mailman/lis.nfo/nginx-­‐ announce   •  php-­‐announce   hep://php.net/mailing-­‐lists.php   

No content

Customer  Service   

No content

Why  is  there  no  “silver  bullet”?   

Informa.on  security  is  a  constant   investment.   

Heartbleed   

By  placing  your  users’  informa.on  at   risk,  you  also  risk  ruining  your   company’s  reputa.on.   

Thanks!   @henriwatson   [email protected]     heps://henriwatson.com/talks/silverbullet