Security is not a feature
!"
Security is not a feature
‼
- @ianaya89 1
Slide 2
Slide 2 text
!
Nacho Anaya
!
@ianaya89
•
!
Lead OSS Engineer @ChecklyHQ
•
"
Ambassador @Auth0
•
#
Streaming @ianaya89
Security is not a feature
‼
- @ianaya89 2
Slide 3
Slide 3 text
!
Security is not a feature
‼
- @ianaya89 3
Slide 4
Slide 4 text
!"
Security is not a feature
‼
- @ianaya89 4
Slide 5
Slide 5 text
"There are two types of companies:
those that have been hacked, and
those who don't know they have
been hacked."
John T. Chambers
Security is not a feature
‼
- @ianaya89 5
Slide 6
Slide 6 text
!
Security is not a feature
‼
- @ianaya89 6
Slide 7
Slide 7 text
!
Security is not a feature
‼
- @ianaya89 7
Slide 8
Slide 8 text
Security is not a feature
‼
- @ianaya89 8
Slide 9
Slide 9 text
Security is not a feature
‼
- @ianaya89 9
Slide 10
Slide 10 text
Security is not a feature
‼
- @ianaya89 10
Slide 11
Slide 11 text
Security is not a feature
‼
- @ianaya89 11
Slide 12
Slide 12 text
!
~11.3 Billons
informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks
Security is not a feature
‼
- @ianaya89 12
Slide 13
Slide 13 text
Security is not a feature
‼
- @ianaya89 13
Slide 14
Slide 14 text
!
Security is not a feature
‼
- @ianaya89 14
Slide 15
Slide 15 text
!
...
!
Uneven Competition
Security is not a feature
‼
- @ianaya89 15
Slide 16
Slide 16 text
!
Security is not a feature
‼
- @ianaya89 16
Slide 17
Slide 17 text
!
Lose Money
Security is not a feature
‼
- @ianaya89 17
Slide 18
Slide 18 text
!
Lose Trust
Security is not a feature
‼
- @ianaya89 18
Slide 19
Slide 19 text
!
Security is not a feature
‼
- @ianaya89 19
Slide 20
Slide 20 text
✍
Culture
•
!
Training
•
"
Politics
•
⏱
Time
•
$
Money
%
Security is not a feature
‼
- @ianaya89 20
Slide 21
Slide 21 text
"If you spend more on coffee than
on IT security, you will be hacked.
What's more, you deserve to be
hacked"
Richard A. Clarke
Security is not a feature
‼
- @ianaya89 21
Slide 22
Slide 22 text
! "
Invest!
Security is not a feature
‼
- @ianaya89 22
Slide 23
Slide 23 text
!
Security is not a feature
‼
- @ianaya89 23
Slide 24
Slide 24 text
!
Systemic Thinking
Security is not a feature
‼
- @ianaya89 24
Slide 25
Slide 25 text
!
Vulnerabilities
Security is not a feature
‼
- @ianaya89 25
Slide 26
Slide 26 text
"Vulnerabilities are like ants, they
are everywhere"
Nacho Anaya
Security is not a feature
‼
- @ianaya89 26
Slide 27
Slide 27 text
Heartbleed
Security is not a feature
‼
- @ianaya89 27
Slide 28
Slide 28 text
Security is not a feature
‼
- @ianaya89 28
Slide 29
Slide 29 text
!
Web is Complex
Security is not a feature
‼
- @ianaya89 29
Slide 30
Slide 30 text
!
HTTP/S - WebSockets - DNS - TCP
FTP - IPv4 - IPv6 - SSH- ASCII - IRC
Security is not a feature
‼
- @ianaya89 30
Slide 31
Slide 31 text
!
Browsers too
Security is not a feature
‼
- @ianaya89 31
Slide 32
Slide 32 text
!
HTML - CSS - JS
Security is not a feature
‼
- @ianaya89 32
Slide 33
Slide 33 text
!
DOM - Geolocation - Multimedia
Fetch - Web Sockets - Storage
Security is not a feature
‼
- @ianaya89 33
Slide 34
Slide 34 text
!
Security is not a feature
‼
- @ianaya89 34
Slide 35
Slide 35 text
!
The Solution
Security is not a feature
‼
- @ianaya89 35
Slide 36
Slide 36 text
!
No perfect solution
Security is not a feature
‼
- @ianaya89 36
Slide 37
Slide 37 text
!
But we can be ready
Security is not a feature
‼
- @ianaya89 37
Slide 38
Slide 38 text
!
Security is not a feature
‼
- @ianaya89 38
Slide 39
Slide 39 text
!
Security is not "nice to have"
Security is not a feature
‼
- @ianaya89 39
Slide 40
Slide 40 text
!
Security is by default
Security is not a feature
‼
- @ianaya89 40
Slide 41
Slide 41 text
!
Assume the worst
Security is not a feature
‼
- @ianaya89 41
Slide 42
Slide 42 text
ALWAYS
Security is not a feature
‼
- @ianaya89 42
Slide 43
Slide 43 text
!
Your app is your bestie
Security is not a feature
‼
- @ianaya89 43
Slide 44
Slide 44 text
!
Input vectors
Security is not a feature
‼
- @ianaya89 44
Slide 45
Slide 45 text
!
Query String - URL Path - Request Body - Cookies
Request Headers - Form Fields - File Inputs
Emails - Web Socket - Browser Storage - Hooks
Security is not a feature
‼
- @ianaya89 45
Slide 46
Slide 46 text
⚠
Never trust your users
Security is not a feature
‼
- @ianaya89 46
Slide 47
Slide 47 text
!
Security is not a feature
‼
- @ianaya89 47
Slide 48
Slide 48 text
!
HTTPS
!
2021
Security is not a feature
‼
- @ianaya89 48
Slide 49
Slide 49 text
Security is not a feature
‼
- @ianaya89 49
Slide 50
Slide 50 text
⬇
LTS
Security is not a feature
‼
- @ianaya89 50
Slide 51
Slide 51 text
Dependencies
Security is not a feature
‼
- @ianaya89 51
Slide 52
Slide 52 text
Security is not a feature
‼
- @ianaya89 52
Slide 53
Slide 53 text
!
"Your code is not your code, but
their bugs are your bugs."
Nacho Anaya
Security is not a feature
‼
- @ianaya89 53
Slide 54
Slide 54 text
!
eslint-scope
eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
Security is not a feature
‼
- @ianaya89 54
Slide 55
Slide 55 text
Security is not a feature
‼
- @ianaya89 55
Slide 56
Slide 56 text
Security is not a feature
‼
- @ianaya89 56
Slide 57
Slide 57 text
Security is not a feature
‼
- @ianaya89 57
Slide 58
Slide 58 text
!
SQL / No-SQL Injection
Security is not a feature
‼
- @ianaya89 58
Slide 59
Slide 59 text
Security is not a feature
‼
- @ianaya89 59
Slide 60
Slide 60 text
Security is not a feature
‼
- @ianaya89 60
Slide 61
Slide 61 text
!
SQL / No-SQL Injection
•
‼
Server Side Validation
•
"
Sanitize queries
•
#
ORM / ODM
Security is not a feature
‼
- @ianaya89 61
Slide 62
Slide 62 text
!
XSS
Security is not a feature
‼
- @ianaya89 62
Slide 63
Slide 63 text
Security is not a feature
‼
- @ianaya89 63
Slide 64
Slide 64 text
!
XSS
•
‼
Server Side Validation
•
"
Sanitize inputs
•
#
HTML encoding
•
$
Frameworks
•
%
HTTP Secure Response Headers
Security is not a feature
‼
- @ianaya89 64