Slide 1

Slide 1 text

Security is not a feature! ! Security is not a feature! - @ianaya89 1

Slide 2

Slide 2 text

! Nacho Anaya ! @ianaya89 • ! Principal Engineer https:// twitter.com/@BalloonPlatform • " Ambassador @Auth0 & @GitKraken • # Tech Speaker @MozTechSpeakers • $ Organizador @Vuenos_Aires Security is not a feature! - @ianaya89 2

Slide 3

Slide 3 text

!" Security is not a feature! - @ianaya89 3

Slide 4

Slide 4 text

"Hay dos tipos de empresas: aquellas que han sido hackeadas y aquellas que todavía no saben que han sido hackeadas" John T. Chambers Security is not a feature! - @ianaya89 4

Slide 5

Slide 5 text

! Entender el problema Security is not a feature! - @ianaya89 5

Slide 6

Slide 6 text

! Zoom Security is not a feature! - @ianaya89 6

Slide 7

Slide 7 text

Competencia Despareja ! ... Security is not a feature! - @ianaya89 7

Slide 8

Slide 8 text

! 3.5 Billones Security is not a feature! - @ianaya89 8

Slide 9

Slide 9 text

Security is not a feature! - @ianaya89 9

Slide 10

Slide 10 text

! Perdida de Dinero Security is not a feature! - @ianaya89 10

Slide 11

Slide 11 text

! Perdida de Confianza Security is not a feature! - @ianaya89 11

Slide 12

Slide 12 text

! Cultura • ! Capacitación • " Politicas • ⏱ Tiempo • $ Dinero Security is not a feature! - @ianaya89 12

Slide 13

Slide 13 text

"Si gastas mas dinero en cafe que en Seguridad IT, vas a ser hackeado. En realidad, te mereces ser hackeado" Richard A. Clarke Security is not a feature! - @ianaya89 13

Slide 14

Slide 14 text

! " Invertir! Security is not a feature! - @ianaya89 14

Slide 15

Slide 15 text

! Mirada Sistémica Security is not a feature! - @ianaya89 15

Slide 16

Slide 16 text

! Vulnerabilidades Security is not a feature! - @ianaya89 16

Slide 17

Slide 17 text

Heartbleed Security is not a feature! - @ianaya89 17

Slide 18

Slide 18 text

Security is not a feature! - @ianaya89 18

Slide 19

Slide 19 text

! TCP es complejo Security is not a feature! - @ianaya89 19

Slide 20

Slide 20 text

HTTP/S - WebSockets - DNS - TCP - FTP - IPv4 - IPv6 - SSH- ASCII - IRC Security is not a feature! - @ianaya89 20

Slide 21

Slide 21 text

! Los navegadores tambien Security is not a feature! - @ianaya89 21

Slide 22

Slide 22 text

HTML - CSS - JS Security is not a feature! - @ianaya89 22

Slide 23

Slide 23 text

DOM - Geolocation - Multimedia - Fetch - Web Sockets - Storage Security is not a feature! - @ianaya89 23

Slide 24

Slide 24 text

! Entender la Solución Security is not a feature! - @ianaya89 24

Slide 25

Slide 25 text

! No hay solución perfecta Security is not a feature! - @ianaya89 25

Slide 26

Slide 26 text

! Pero podemos prepararnos Security is not a feature! - @ianaya89 26

Slide 27

Slide 27 text

! Seguridad no es "nice to have" Security is not a feature! - @ianaya89 27

Slide 28

Slide 28 text

! Seguridad por defecto Security is not a feature! - @ianaya89 28

Slide 29

Slide 29 text

! Siempre, pero siempre... Asumamos lo peor Security is not a feature! - @ianaya89 29

Slide 30

Slide 30 text

! Conocer tu Aplicación. Security is not a feature! - @ianaya89 30

Slide 31

Slide 31 text

! Vectores de Entrada Security is not a feature! - @ianaya89 31

Slide 32

Slide 32 text

Query String - URL Path - Request Body - Cookies - Request Headers - Form Fields - File Inputs - Emails - Web Socket - Browser Storage Security is not a feature! - @ianaya89 32

Slide 33

Slide 33 text

⚠ No confiar en los usuarios Security is not a feature! - @ianaya89 33

Slide 34

Slide 34 text

✅ Checklist de Seguridad Security is not a feature! - @ianaya89 34

Slide 35

Slide 35 text

! Security is not a feature! - @ianaya89 35

Slide 36

Slide 36 text

! HTTPS ! 2020 Security is not a feature! - @ianaya89 36

Slide 37

Slide 37 text

Security is not a feature! - @ianaya89 37

Slide 38

Slide 38 text

⬇ Actualizar Versiones • Node.js (12.18.0 LTS) • npm (6.14.4) • express (4.17.1) Security is not a feature! - @ianaya89 38

Slide 39

Slide 39 text

! Actualizar Dependencias • npm audit • dependant-bot • Snyk Security is not a feature! - @ianaya89 39

Slide 40

Slide 40 text

! Linter eslint-plugin-security Security is not a feature! - @ianaya89 40

Slide 41

Slide 41 text

! SQL / No-SQL Injection Security is not a feature! - @ianaya89 41

Slide 42

Slide 42 text

! ✅ SQL / No-SQL Injection • Validar inputs en el SERVER • Sanitizar queries • Usar ORM / ODM Security is not a feature! - @ianaya89 42

Slide 43

Slide 43 text

! " SQL / No-SQL Injection • mongoose • sequelize Security is not a feature! - @ianaya89 43

Slide 44

Slide 44 text

! XSS Security is not a feature! - @ianaya89 44

Slide 45

Slide 45 text

Security is not a feature! - @ianaya89 45

Slide 46

Slide 46 text

!✅ XSS • Validar inputs en el SERVER • "Encodear" output (HTML) • Secure Response Headers Security is not a feature! - @ianaya89 46

Slide 47

Slide 47 text

! " XSS Headers - HSTS - HPKP - X-Frame-Options - X-XSS-Protection - X-Content-Type-Options - Referrer-Policy - Expect-CT - Content-Security-Policy Secure Headers Security is not a feature! - @ianaya89 47

Slide 48

Slide 48 text

!" XSS • @hapi/joi • express-validator • helmet • csurf (CSRF) Security is not a feature! - @ianaya89 48

Slide 49

Slide 49 text

! DoS Security is not a feature! - @ianaya89 49

Slide 50

Slide 50 text

! ✅ DoS • Rate limiting • Manejo de errores • "Crasheos" explícitos • Validacion de Regex • Bloqueo de Usuarios / IP Security is not a feature! - @ianaya89 50

Slide 51

Slide 51 text

! " DoS • express-rate-limit (basico) • node-rate-limiter-flexible (avanzado) • try/cath - catch() - if (err) • safe-regex Security is not a feature! - @ianaya89 51

Slide 52

Slide 52 text

! Sesiones & Tokens Security is not a feature! - @ianaya89 52

Slide 53

Slide 53 text

! ✅ Sesiones & Tokens • No exponer • Expirar • Blacklist o WhiteList • OAUTH - OpenID Security is not a feature! - @ianaya89 53

Slide 54

Slide 54 text

! " Sesiones & Tokens • jsonwebtoken • passport • Auth0 - Okta - Firebase Security is not a feature! - @ianaya89 54

Slide 55

Slide 55 text

! Passwords Security is not a feature! - @ianaya89 55

Slide 56

Slide 56 text

Time to crack Security is not a feature! - @ianaya89 56

Slide 57

Slide 57 text

! ✅ Passwords • hash + salt (no usar crypto) • Contraseñas fuertes (entropia) • MFA Security is not a feature! - @ianaya89 57

Slide 58

Slide 58 text

! " Passwords • bcrypt • speakeasy • Auth0 - Okta - Firebase • Twilio Security is not a feature! - @ianaya89 58

Slide 59

Slide 59 text

! " Have I been pawned? https://haveibeenpwned.com Security is not a feature! - @ianaya89 59

Slide 60

Slide 60 text

! " Have I been pawned? https://haveibeenpwned.com Security is not a feature! - @ianaya89 60

Slide 61

Slide 61 text

! " Have I been pawned? API & DB Security is not a feature! - @ianaya89 61

Slide 62

Slide 62 text

! Dev Passwords & Secrets • CI • Dev Tools • Cloud • Keys - Tokens - Secrets Security is not a feature! - @ianaya89 62

Slide 63

Slide 63 text

! ✅ Dev Passwords & Secrets • 1Password • Blackbox • GPG • Secret Manager (AWS) • MFA ⚠ Security is not a feature! - @ianaya89 63

Slide 64

Slide 64 text

! Cookies Security is not a feature! - @ianaya89 64

Slide 65

Slide 65 text

! " Cookies Flags • httpOnly • secure • SameSite Security is not a feature! - @ianaya89 65

Slide 66

Slide 66 text

! ↩ Cookies Scoping • domain • path • expires Security is not a feature! - @ianaya89 66

Slide 67

Slide 67 text

! Logging & Monitoring Security is not a feature! - @ianaya89 67

Slide 68

Slide 68 text

! " Logging & Monitoring • winston • express-status-monitor Security is not a feature! - @ianaya89 68

Slide 69

Slide 69 text

! " Logging & Monitoring • datadog & new relic (monitoreo) • sentry & bugsnag (errores) • papertrail & loggly (logs) • pingdom & checkly (status) Security is not a feature! - @ianaya89 69

Slide 70

Slide 70 text

! Exponer Información Sensible Security is not a feature! - @ianaya89 70

Slide 71

Slide 71 text

Security is not a feature! - @ianaya89 71

Slide 72

Slide 72 text

! ✅ Exponer Información Sensible Simplemente no! Security is not a feature! - @ianaya89 72

Slide 73

Slide 73 text

Security is not a feature! - @ianaya89 73

Slide 74

Slide 74 text

! OWASP Top 10 owasp.org Security is not a feature! - @ianaya89 74

Slide 75

Slide 75 text

! Recursos • owasp.org • WebGoat • Web Security Basics • MIT Computer Systems Security • The Node.js best practices list • Web Application Security Security is not a feature! - @ianaya89 75

Slide 76

Slide 76 text

! Take Away Security is not a feature! - @ianaya89 76

Slide 77

Slide 77 text

Security is not a feature! - @ianaya89 77

Slide 78

Slide 78 text

✌ Crear una cultura de seguridad Security is not a feature! - @ianaya89 78

Slide 79

Slide 79 text

! Security is not a feature! - @ianaya89 79

Slide 80

Slide 80 text

! Gracias! ! Preguntas? ! @ianaya89 Security is not a feature! - @ianaya89 80