Hey Devs,
Time to take care about web security!
! ⏱
Time to take care about web security! - @ianaya89 1
Slide 2
Slide 2 text
!
Nacho Anaya
!
@ianaya89
• JavaScript Engineer @BloqInc
• Ambassador @Auth0
• Organizer @Vuenos_Aires
Time to take care about web security! - @ianaya89 2
Slide 3
Slide 3 text
!"
Time to take care about web security! - @ianaya89 3
Slide 4
Slide 4 text
"There are two types of companies:
those that have been hacked, and
those who don't know they have
been hacked."
John T. Chambers
Time to take care about web security! - @ianaya89 4
Slide 5
Slide 5 text
!
Understand the Problem
Time to take care about web security! - @ianaya89 5
Slide 6
Slide 6 text
!
2017
4.2 billon leaks
Time to take care about web security! - @ianaya89 6
Slide 7
Slide 7 text
Time to take care about web security! - @ianaya89 7
Slide 8
Slide 8 text
!
Loose Money
Time to take care about web security! - @ianaya89 8
Slide 9
Slide 9 text
!
Loose Trust
Time to take care about web security! - @ianaya89 9
Slide 10
Slide 10 text
! ⏱
Invest!
Time to take care about web security! - @ianaya89 10
Slide 11
Slide 11 text
"If you spend more on coffee than
on IT security, you will be hacked.
Whats more, you deserve to be
hacked"
Richard A. Clarke
Time to take care about web security! - @ianaya89 11
Slide 12
Slide 12 text
!
Vulnerabili+es Everywhere!
Time to take care about web security! - @ianaya89 12
Slide 13
Slide 13 text
Time to take care about web security! - @ianaya89 13
Slide 14
Slide 14 text
Time to take care about web security! - @ianaya89 14
Slide 15
Slide 15 text
!
TCP is Complicated
Time to take care about web security! - @ianaya89 15
Slide 16
Slide 16 text
HTTP/S - WebSockets - DNS - TCP -
FTP - IPv4 - IPv6 - SSH- ASCII - IRC
Time to take care about web security! - @ianaya89 16
Slide 17
Slide 17 text
!
Browsers Too
Time to take care about web security! - @ianaya89 17
Slide 18
Slide 18 text
HTML - CSS - JS
Time to take care about web security! - @ianaya89 18
Slide 19
Slide 19 text
DOM - Geoloca,on - Mul,media -
Fetch - Web Sockets
Time to take care about web security! - @ianaya89 19
Slide 20
Slide 20 text
!
Understand the Solu/on
Time to take care about web security! - @ianaya89 20
Slide 21
Slide 21 text
!
There is no perfect security...
Time to take care about web security! - @ianaya89 21
Slide 22
Slide 22 text
!
Security is not a nice to have
Time to take care about web security! - @ianaya89 22
Slide 23
Slide 23 text
!
Security is by default
Time to take care about web security! - @ianaya89 23
Slide 24
Slide 24 text
!
Always, but always assume the
worst
Time to take care about web security! - @ianaya89 24
Slide 25
Slide 25 text
!
Hackers gonna hack
Time to take care about web security! - @ianaya89 25
Slide 26
Slide 26 text
!
Know your app
Time to take care about web security! - @ianaya89 26
Slide 27
Slide 27 text
!
Input Vectors
Time to take care about web security! - @ianaya89 27
Slide 28
Slide 28 text
Query String - URL Path - Request
Body - Cookies - Request Headers -
Form Fields - File Inputs - Emails -
Web Socket - Browser Storage
Time to take care about web security! - @ianaya89 28
Slide 29
Slide 29 text
⚠
Don't trust the users
Time to take care about web security! - @ianaya89 29
Slide 30
Slide 30 text
!
Must Do
Time to take care about web security! - @ianaya89 30
Slide 31
Slide 31 text
!
HTTPS
!
It's 2018
Time to take care about web security! - @ianaya89 31
Slide 32
Slide 32 text
Time to take care about web security! - @ianaya89 32
Slide 33
Slide 33 text
!
HSTS
strict-transport-security-policy
Time to take care about web security! - @ianaya89 33
Slide 34
Slide 34 text
!
Injec'on
Time to take care about web security! - @ianaya89 34
Slide 35
Slide 35 text
! ✅
Injec'on
• Validate input in the SERVER
• Sani1ze Everything
Time to take care about web security! - @ianaya89 35
Slide 36
Slide 36 text
!
XSS
Time to take care about web security! - @ianaya89 36
Slide 37
Slide 37 text
Time to take care about web security! - @ianaya89 37
Slide 38
Slide 38 text
! ✅
XSS
• Validate & sani-ze all inputs
• Encode output (HTML)
• Use proper headers
Time to take care about web security! - @ianaya89 38
Slide 39
Slide 39 text
! "
XSS Headers
• String-Transport-Security
• X-Frame-Op6ons
• X-XSS-Protec6on
• X-Content-Type-Op6ons
• Content-Security-Policy
Time to take care about web security! - @ianaya89 39
Slide 40
Slide 40 text
⚔
CSRF
Time to take care about web security! - @ianaya89 40
Slide 41
Slide 41 text
⚔ ✅
CSRF
• Random token in request
• same-site cookie flag
Time to take care about web security! - @ianaya89 41
Slide 42
Slide 42 text
!
Session Management
Time to take care about web security! - @ianaya89 42
Slide 43
Slide 43 text
! ✅
Session Management
• Don't expose token (URL, Browser Storage)
• Tokens must expire
• OAUTH - OpenID - Auth0
Time to take care about web security! - @ianaya89 43
Slide 44
Slide 44 text
!
Password Management
Time to take care about web security! - @ianaya89 44
Slide 45
Slide 45 text
! ✅
Password Management
• bcrypt for hashing (with salt)
• Strong passwords
• MFA
Time to take care about web security! - @ianaya89 45
Slide 46
Slide 46 text
!
Cookie Management
Time to take care about web security! - @ianaya89 46
Slide 47
Slide 47 text
! "
Cookie Flags
• httpOnly
• secure
Time to take care about web security! - @ianaya89 47
Slide 48
Slide 48 text
! ↩
Cookie Scoping
• domain
• path
• expires
Time to take care about web security! - @ianaya89 48
Slide 49
Slide 49 text
!
use strict
Time to take care about web security! - @ianaya89 49
Slide 50
Slide 50 text
!
Logging & Errors
Time to take care about web security! - @ianaya89 50
Slide 51
Slide 51 text
!
Sensi've Data Exposure
Time to take care about web security! - @ianaya89 51
Slide 52
Slide 52 text
Time to take care about web security! - @ianaya89 52
Slide 53
Slide 53 text
! ✅
Sensi've Data Exposure
Just don't!
Time to take care about web security! - @ianaya89 53
Slide 54
Slide 54 text
!
OSS
Time to take care about web security! - @ianaya89 54
Slide 55
Slide 55 text
!
OWASP Top 10
owasp.org
Time to take care about web security! - @ianaya89 55
Slide 56
Slide 56 text
Time to take care about web security! - @ianaya89 56
Slide 57
Slide 57 text
!
Tools
• Re$reJS
• npm nsp
• docker
Time to take care about web security! - @ianaya89 57
Slide 58
Slide 58 text
!
Resources
• owasp.org
• WebGoat
• Web Security Basics
• MIT Computer Systems Security
Time to take care about web security! - @ianaya89 58
Slide 59
Slide 59 text
!
Time to take care about web security! - @ianaya89 59
Slide 60
Slide 60 text
!
Take Away
Time to take care about web security! - @ianaya89 60
Slide 61
Slide 61 text
✌
Promote a security culture!
Time to take care about web security! - @ianaya89 61
Slide 62
Slide 62 text
⏱
Security is important, 1me to
take care!
Time to take care about web security! - @ianaya89 62
Slide 63
Slide 63 text
!
Thanks!
!
Ques&ons?
!
@ianaya89
Time to take care about web security! - @ianaya89 63