hey-devs-time-to-care-about-web-apps-security.pdf

Slide 1

Slide 1 text

Hey Devs, Time to take care about web security! ! ⏱ Time to take care about web security! - @ianaya89 1

Slide 2

Slide 2 text

! Nacho Anaya ! @ianaya89 • JavaScript Engineer @BloqInc • Ambassador @Auth0 • Organizer @Vuenos_Aires Time to take care about web security! - @ianaya89 2

Slide 3

Slide 3 text

!" Time to take care about web security! - @ianaya89 3

Slide 4

Slide 4 text

"There are two types of companies: those that have been hacked, and those who don't know they have been hacked." John T. Chambers Time to take care about web security! - @ianaya89 4

Slide 5

Slide 5 text

! Understand the Problem Time to take care about web security! - @ianaya89 5

Slide 6

Slide 6 text

! 2017 4.2 billon leaks Time to take care about web security! - @ianaya89 6

Slide 7

Slide 7 text

Time to take care about web security! - @ianaya89 7

Slide 8

Slide 8 text

! Loose Money Time to take care about web security! - @ianaya89 8

Slide 9

Slide 9 text

! Loose Trust Time to take care about web security! - @ianaya89 9

Slide 10

Slide 10 text

! ⏱ Invest! Time to take care about web security! - @ianaya89 10

Slide 11

Slide 11 text

"If you spend more on coﬀee than on IT security, you will be hacked. Whats more, you deserve to be hacked" Richard A. Clarke Time to take care about web security! - @ianaya89 11

Slide 12

Slide 12 text

! Vulnerabili+es Everywhere! Time to take care about web security! - @ianaya89 12

Slide 13

Slide 13 text

Time to take care about web security! - @ianaya89 13

Slide 14

Slide 14 text

Time to take care about web security! - @ianaya89 14

Slide 15

Slide 15 text

! TCP is Complicated Time to take care about web security! - @ianaya89 15

Slide 16

Slide 16 text

HTTP/S - WebSockets - DNS - TCP - FTP - IPv4 - IPv6 - SSH- ASCII - IRC Time to take care about web security! - @ianaya89 16

Slide 17

Slide 17 text

! Browsers Too Time to take care about web security! - @ianaya89 17

Slide 18

Slide 18 text

HTML - CSS - JS Time to take care about web security! - @ianaya89 18

Slide 19

Slide 19 text

DOM - Geoloca,on - Mul,media - Fetch - Web Sockets Time to take care about web security! - @ianaya89 19

Slide 20

Slide 20 text

! Understand the Solu/on Time to take care about web security! - @ianaya89 20

Slide 21

Slide 21 text

! There is no perfect security... Time to take care about web security! - @ianaya89 21

Slide 22

Slide 22 text

! Security is not a nice to have Time to take care about web security! - @ianaya89 22

Slide 23

Slide 23 text

! Security is by default Time to take care about web security! - @ianaya89 23

Slide 24

Slide 24 text

! Always, but always assume the worst Time to take care about web security! - @ianaya89 24

Slide 25

Slide 25 text

! Hackers gonna hack Time to take care about web security! - @ianaya89 25

Slide 26

Slide 26 text

! Know your app Time to take care about web security! - @ianaya89 26

Slide 27

Slide 27 text

! Input Vectors Time to take care about web security! - @ianaya89 27

Slide 28

Slide 28 text

Query String - URL Path - Request Body - Cookies - Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Time to take care about web security! - @ianaya89 28

Slide 29

Slide 29 text

⚠ Don't trust the users Time to take care about web security! - @ianaya89 29

Slide 30

Slide 30 text

! Must Do Time to take care about web security! - @ianaya89 30

Slide 31

Slide 31 text

! HTTPS ! It's 2018 Time to take care about web security! - @ianaya89 31

Slide 32

Slide 32 text

Time to take care about web security! - @ianaya89 32

Slide 33

Slide 33 text

! HSTS strict-transport-security-policy Time to take care about web security! - @ianaya89 33

Slide 34

Slide 34 text

! Injec'on Time to take care about web security! - @ianaya89 34

Slide 35

Slide 35 text

! ✅ Injec'on • Validate input in the SERVER • Sani1ze Everything Time to take care about web security! - @ianaya89 35

Slide 36

Slide 36 text

! XSS Time to take care about web security! - @ianaya89 36

Slide 37

Slide 37 text

Time to take care about web security! - @ianaya89 37

Slide 38

Slide 38 text

! ✅ XSS • Validate & sani-ze all inputs • Encode output (HTML) • Use proper headers Time to take care about web security! - @ianaya89 38

Slide 39

Slide 39 text

! " XSS Headers • String-Transport-Security • X-Frame-Op6ons • X-XSS-Protec6on • X-Content-Type-Op6ons • Content-Security-Policy Time to take care about web security! - @ianaya89 39

Slide 40

Slide 40 text

⚔ CSRF Time to take care about web security! - @ianaya89 40

Slide 41

Slide 41 text

⚔ ✅ CSRF • Random token in request • same-site cookie ﬂag Time to take care about web security! - @ianaya89 41

Slide 42

Slide 42 text

! Session Management Time to take care about web security! - @ianaya89 42

Slide 43

Slide 43 text

! ✅ Session Management • Don't expose token (URL, Browser Storage) • Tokens must expire • OAUTH - OpenID - Auth0 Time to take care about web security! - @ianaya89 43

Slide 44

Slide 44 text

! Password Management Time to take care about web security! - @ianaya89 44

Slide 45

Slide 45 text

! ✅ Password Management • bcrypt for hashing (with salt) • Strong passwords • MFA Time to take care about web security! - @ianaya89 45

Slide 46

Slide 46 text

! Cookie Management Time to take care about web security! - @ianaya89 46

Slide 47

Slide 47 text

! " Cookie Flags • httpOnly • secure Time to take care about web security! - @ianaya89 47

Slide 48

Slide 48 text

! ↩ Cookie Scoping • domain • path • expires Time to take care about web security! - @ianaya89 48

Slide 49

Slide 49 text

! use strict Time to take care about web security! - @ianaya89 49

Slide 50

Slide 50 text

! Logging & Errors Time to take care about web security! - @ianaya89 50

Slide 51

Slide 51 text

! Sensi've Data Exposure Time to take care about web security! - @ianaya89 51

Slide 52

Slide 52 text

Time to take care about web security! - @ianaya89 52

Slide 53

Slide 53 text

! ✅ Sensi've Data Exposure Just don't! Time to take care about web security! - @ianaya89 53

Slide 54

Slide 54 text

! OSS Time to take care about web security! - @ianaya89 54

Slide 55

Slide 55 text

! OWASP Top 10 owasp.org Time to take care about web security! - @ianaya89 55

Slide 56

Slide 56 text

Time to take care about web security! - @ianaya89 56

Slide 57

Slide 57 text

! Tools • Re$reJS • npm nsp • docker Time to take care about web security! - @ianaya89 57

Slide 58

Slide 58 text

! Resources • owasp.org • WebGoat • Web Security Basics • MIT Computer Systems Security Time to take care about web security! - @ianaya89 58

Slide 59

Slide 59 text

! Time to take care about web security! - @ianaya89 59

Slide 60

Slide 60 text

! Take Away Time to take care about web security! - @ianaya89 60

Slide 61

Slide 61 text

✌ Promote a security culture! Time to take care about web security! - @ianaya89 61

Slide 62

Slide 62 text

⏱ Security is important, 1me to take care! Time to take care about web security! - @ianaya89 62

Slide 63

Slide 63 text

! Thanks! ! Ques&ons? ! @ianaya89 Time to take care about web security! - @ianaya89 63