Slide 1

Slide 1 text

Security is not a feature !" Security is not a feature ‼ - @ianaya89 1

Slide 2

Slide 2 text

! Nacho Anaya ! @ianaya89 • ! Lead OSS Engineer @ChecklyHQ • " Ambassador @Auth0 • # Streaming @ianaya89 Security is not a feature ‼ - @ianaya89 2

Slide 3

Slide 3 text

! Security is not a feature ‼ - @ianaya89 3

Slide 4

Slide 4 text

!" Security is not a feature ‼ - @ianaya89 4

Slide 5

Slide 5 text

"There are two types of companies: those that have been hacked, and those who don't know they have been hacked." John T. Chambers Security is not a feature ‼ - @ianaya89 5

Slide 6

Slide 6 text

! Security is not a feature ‼ - @ianaya89 6

Slide 7

Slide 7 text

! Security is not a feature ‼ - @ianaya89 7

Slide 8

Slide 8 text

Security is not a feature ‼ - @ianaya89 8

Slide 9

Slide 9 text

Security is not a feature ‼ - @ianaya89 9

Slide 10

Slide 10 text

Security is not a feature ‼ - @ianaya89 10

Slide 11

Slide 11 text

Security is not a feature ‼ - @ianaya89 11

Slide 12

Slide 12 text

! ~11.3 Billons informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks Security is not a feature ‼ - @ianaya89 12

Slide 13

Slide 13 text

Security is not a feature ‼ - @ianaya89 13

Slide 14

Slide 14 text

! Security is not a feature ‼ - @ianaya89 14

Slide 15

Slide 15 text

! ... ! Uneven Competition Security is not a feature ‼ - @ianaya89 15

Slide 16

Slide 16 text

! Security is not a feature ‼ - @ianaya89 16

Slide 17

Slide 17 text

! Lose Money Security is not a feature ‼ - @ianaya89 17

Slide 18

Slide 18 text

! Lose Trust Security is not a feature ‼ - @ianaya89 18

Slide 19

Slide 19 text

! Security is not a feature ‼ - @ianaya89 19

Slide 20

Slide 20 text

✍ Culture • ! Training • " Politics • ⏱ Time • $ Money % Security is not a feature ‼ - @ianaya89 20

Slide 21

Slide 21 text

"If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked" Richard A. Clarke Security is not a feature ‼ - @ianaya89 21

Slide 22

Slide 22 text

! " Invest! Security is not a feature ‼ - @ianaya89 22

Slide 23

Slide 23 text

! Security is not a feature ‼ - @ianaya89 23

Slide 24

Slide 24 text

! Systemic Thinking Security is not a feature ‼ - @ianaya89 24

Slide 25

Slide 25 text

! Vulnerabilities Security is not a feature ‼ - @ianaya89 25

Slide 26

Slide 26 text

"Vulnerabilities are like ants, they are everywhere" Nacho Anaya Security is not a feature ‼ - @ianaya89 26

Slide 27

Slide 27 text

Heartbleed Security is not a feature ‼ - @ianaya89 27

Slide 28

Slide 28 text

Security is not a feature ‼ - @ianaya89 28

Slide 29

Slide 29 text

! Web is Complex Security is not a feature ‼ - @ianaya89 29

Slide 30

Slide 30 text

! HTTP/S - WebSockets - DNS - TCP FTP - IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature ‼ - @ianaya89 30

Slide 31

Slide 31 text

! Browsers too Security is not a feature ‼ - @ianaya89 31

Slide 32

Slide 32 text

! HTML - CSS - JS Security is not a feature ‼ - @ianaya89 32

Slide 33

Slide 33 text

! DOM - Geolocation - Multimedia Fetch - Web Sockets - Storage Security is not a feature ‼ - @ianaya89 33

Slide 34

Slide 34 text

! Security is not a feature ‼ - @ianaya89 34

Slide 35

Slide 35 text

! The Solution Security is not a feature ‼ - @ianaya89 35

Slide 36

Slide 36 text

! No perfect solution Security is not a feature ‼ - @ianaya89 36

Slide 37

Slide 37 text

! But we can be ready Security is not a feature ‼ - @ianaya89 37

Slide 38

Slide 38 text

! Security is not a feature ‼ - @ianaya89 38

Slide 39

Slide 39 text

! Security is not "nice to have" Security is not a feature ‼ - @ianaya89 39

Slide 40

Slide 40 text

! Security is by default Security is not a feature ‼ - @ianaya89 40

Slide 41

Slide 41 text

! Assume the worst Security is not a feature ‼ - @ianaya89 41

Slide 42

Slide 42 text

ALWAYS Security is not a feature ‼ - @ianaya89 42

Slide 43

Slide 43 text

! Your app is your bestie Security is not a feature ‼ - @ianaya89 43

Slide 44

Slide 44 text

! Input vectors Security is not a feature ‼ - @ianaya89 44

Slide 45

Slide 45 text

! Query String - URL Path - Request Body - Cookies Request Headers - Form Fields - File Inputs Emails - Web Socket - Browser Storage - Hooks Security is not a feature ‼ - @ianaya89 45

Slide 46

Slide 46 text

⚠ Never trust your users Security is not a feature ‼ - @ianaya89 46

Slide 47

Slide 47 text

! Security is not a feature ‼ - @ianaya89 47

Slide 48

Slide 48 text

! HTTPS ! 2021 Security is not a feature ‼ - @ianaya89 48

Slide 49

Slide 49 text

Security is not a feature ‼ - @ianaya89 49

Slide 50

Slide 50 text

⬇ LTS Security is not a feature ‼ - @ianaya89 50

Slide 51

Slide 51 text

Dependencies Security is not a feature ‼ - @ianaya89 51

Slide 52

Slide 52 text

Security is not a feature ‼ - @ianaya89 52

Slide 53

Slide 53 text

! "Your code is not your code, but their bugs are your bugs." Nacho Anaya Security is not a feature ‼ - @ianaya89 53

Slide 54

Slide 54 text

! eslint-scope eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes Security is not a feature ‼ - @ianaya89 54

Slide 55

Slide 55 text

Security is not a feature ‼ - @ianaya89 55

Slide 56

Slide 56 text

Security is not a feature ‼ - @ianaya89 56

Slide 57

Slide 57 text

Security is not a feature ‼ - @ianaya89 57

Slide 58

Slide 58 text

! SQL / No-SQL Injection Security is not a feature ‼ - @ianaya89 58

Slide 59

Slide 59 text

Security is not a feature ‼ - @ianaya89 59

Slide 60

Slide 60 text

Security is not a feature ‼ - @ianaya89 60

Slide 61

Slide 61 text

! SQL / No-SQL Injection • ‼ Server Side Validation • " Sanitize queries • # ORM / ODM Security is not a feature ‼ - @ianaya89 61

Slide 62

Slide 62 text

! XSS Security is not a feature ‼ - @ianaya89 62

Slide 63

Slide 63 text

Security is not a feature ‼ - @ianaya89 63

Slide 64

Slide 64 text

! XSS • ‼ Server Side Validation • " Sanitize inputs • # HTML encoding • $ Frameworks • % HTTP Secure Response Headers Security is not a feature ‼ - @ianaya89 64

Slide 65

Slide 65 text

! XSS Headers - HSTS - HPKP - X-Frame-Options - X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy ! Secure Headers Security is not a feature ‼ - @ianaya89 65

Slide 66

Slide 66 text

! DoS Security is not a feature ‼ - @ianaya89 66

Slide 67

Slide 67 text

Security is not a feature ‼ - @ianaya89 67

Slide 68

Slide 68 text

! DoS • ⌛ Rate Limiting • ❌ Error handling • # Explicit Crashes • $ Exponential Regex • % IP Banning Security is not a feature ‼ - @ianaya89 68

Slide 69

Slide 69 text

! Sessions & Tokens Security is not a feature ‼ - @ianaya89 69

Slide 70

Slide 70 text

! Sessions & Tokens • ⏱ Expirable • " Allow List or Deny List • # OAUTH - OpenID • $ Single Sign On Security is not a feature ‼ - @ianaya89 70

Slide 71

Slide 71 text

! Passwords Security is not a feature ‼ - @ianaya89 71

Slide 72

Slide 72 text

Time to crack Security is not a feature ‼ - @ianaya89 72

Slide 73

Slide 73 text

! Passwords • ! hash + salt (bcrypt) • " Strong Passwords (Entropy) • # 2FA / MFA Security is not a feature ‼ - @ianaya89 73

Slide 74

Slide 74 text

! " Have I been pawned? https://haveibeenpwned.com Security is not a feature ‼ - @ianaya89 74

Slide 75

Slide 75 text

! " Have I been pawned? https://haveibeenpwned.com Security is not a feature ‼ - @ianaya89 75

Slide 76

Slide 76 text

! " Have I been pawned? ! API & DB Security is not a feature ‼ - @ianaya89 76

Slide 77

Slide 77 text

! Dev Passwords & Secrets • ! CI • " Dev Tools • # Cloud • $ Keys - Tokens - Secrets Security is not a feature ‼ - @ianaya89 77

Slide 78

Slide 78 text

! Dev Passwords & Secrets • Blackbox • Keybase • GPG • Password Managers • Secret Manager (AWS) • MFA ! Security is not a feature ‼ - @ianaya89 78

Slide 79

Slide 79 text

! Cookies Security is not a feature ‼ - @ianaya89 79

Slide 80

Slide 80 text

! " Cookies Flags • httpOnly • secure • SameSite Security is not a feature ‼ - @ianaya89 80

Slide 81

Slide 81 text

! ↩ Cookies Scoping • domain • path • expires Security is not a feature ‼ - @ianaya89 81

Slide 82

Slide 82 text

! Logging & Monitoring Security is not a feature ‼ - @ianaya89 82

Slide 83

Slide 83 text

! " Logging & Monitoring • ! Monitoring: datadog / new relic • " Errors: sentry / bugsnag • # Logs: papertrail / loggly • $ Status: checkly / pingdom Security is not a feature ‼ - @ianaya89 83

Slide 84

Slide 84 text

! Sensitive Data Security is not a feature ‼ - @ianaya89 84

Slide 85

Slide 85 text

Security is not a feature ‼ - @ianaya89 85

Slide 86

Slide 86 text

Security is not a feature ‼ - @ianaya89 86

Slide 87

Slide 87 text

! OWASP Top 10 owasp.org Security is not a feature ‼ - @ianaya89 87

Slide 88

Slide 88 text

! WebGoat $ docker pull webgoat/webgoat-8.0 $ docker run -p 8080:8080 -t webgoat/webgoat-8.0 Security is not a feature ‼ - @ianaya89 88

Slide 89

Slide 89 text

! Take Away Security is not a feature ‼ - @ianaya89 89

Slide 90

Slide 90 text

Security is not a feature ‼ - @ianaya89 90

Slide 91

Slide 91 text

! Start taking care Security is not a feature ‼ - @ianaya89 91

Slide 92

Slide 92 text

! Security is not a feature ‼ - @ianaya89 92

Slide 93

Slide 93 text

! Thanks! ! Questions? ! @ianaya89 Security is not a feature ‼ - @ianaya89 93