Security is not a feature!
!
Security is not a feature! - @ianaya89 1
Slide 2
Slide 2 text
!
Nacho Anaya
!
@ianaya89
•
!
Principal Engineer https://
twitter.com/@BalloonPlatform
•
"
Ambassador @Auth0 & @GitKraken
•
#
Tech Speaker @MozTechSpeakers
•
$
Organizador @Vuenos_Aires
Security is not a feature! - @ianaya89 2
Slide 3
Slide 3 text
!"
Security is not a feature! - @ianaya89 3
Slide 4
Slide 4 text
"Hay dos tipos de empresas:
aquellas que han sido hackeadas y
aquellas que todavía no saben que
han sido hackeadas"
John T. Chambers
Security is not a feature! - @ianaya89 4
Slide 5
Slide 5 text
!
Entender el problema
Security is not a feature! - @ianaya89 5
Slide 6
Slide 6 text
!
Zoom
Security is not a feature! - @ianaya89 6
Slide 7
Slide 7 text
Competencia Despareja
!
...
Security is not a feature! - @ianaya89 7
Slide 8
Slide 8 text
!
3.5 Billones
Security is not a feature! - @ianaya89 8
Slide 9
Slide 9 text
Security is not a feature! - @ianaya89 9
Slide 10
Slide 10 text
!
Perdida de Dinero
Security is not a feature! - @ianaya89 10
Slide 11
Slide 11 text
!
Perdida de Confianza
Security is not a feature! - @ianaya89 11
Slide 12
Slide 12 text
!
Cultura
•
!
Capacitación
•
"
Politicas
•
⏱
Tiempo
•
$
Dinero
Security is not a feature! - @ianaya89 12
Slide 13
Slide 13 text
"Si gastas mas dinero en cafe que
en Seguridad IT, vas a ser hackeado.
En realidad, te mereces ser
hackeado"
Richard A. Clarke
Security is not a feature! - @ianaya89 13
Slide 14
Slide 14 text
! "
Invertir!
Security is not a feature! - @ianaya89 14
Slide 15
Slide 15 text
!
Mirada Sistémica
Security is not a feature! - @ianaya89 15
Slide 16
Slide 16 text
!
Vulnerabilidades
Security is not a feature! - @ianaya89 16
Slide 17
Slide 17 text
Heartbleed
Security is not a feature! - @ianaya89 17
Slide 18
Slide 18 text
Security is not a feature! - @ianaya89 18
Slide 19
Slide 19 text
!
TCP es complejo
Security is not a feature! - @ianaya89 19
Slide 20
Slide 20 text
HTTP/S - WebSockets - DNS - TCP -
FTP - IPv4 - IPv6 - SSH- ASCII - IRC
Security is not a feature! - @ianaya89 20
Slide 21
Slide 21 text
!
Los navegadores tambien
Security is not a feature! - @ianaya89 21
Slide 22
Slide 22 text
HTML - CSS - JS
Security is not a feature! - @ianaya89 22
Slide 23
Slide 23 text
DOM - Geolocation - Multimedia -
Fetch - Web Sockets - Storage
Security is not a feature! - @ianaya89 23
Slide 24
Slide 24 text
!
Entender la Solución
Security is not a feature! - @ianaya89 24
Slide 25
Slide 25 text
!
No hay solución perfecta
Security is not a feature! - @ianaya89 25
Slide 26
Slide 26 text
!
Pero podemos prepararnos
Security is not a feature! - @ianaya89 26
Slide 27
Slide 27 text
!
Seguridad no es "nice to have"
Security is not a feature! - @ianaya89 27
Slide 28
Slide 28 text
!
Seguridad por defecto
Security is not a feature! - @ianaya89 28
Slide 29
Slide 29 text
!
Siempre, pero siempre...
Asumamos lo peor
Security is not a feature! - @ianaya89 29
Slide 30
Slide 30 text
!
Conocer tu Aplicación.
Security is not a feature! - @ianaya89 30
Slide 31
Slide 31 text
!
Vectores de Entrada
Security is not a feature! - @ianaya89 31
Slide 32
Slide 32 text
Query String - URL Path - Request
Body - Cookies - Request Headers -
Form Fields - File Inputs - Emails -
Web Socket - Browser Storage
Security is not a feature! - @ianaya89 32
Slide 33
Slide 33 text
⚠
No confiar en los usuarios
Security is not a feature! - @ianaya89 33
Slide 34
Slide 34 text
✅
Checklist de Seguridad
Security is not a feature! - @ianaya89 34
Slide 35
Slide 35 text
!
Security is not a feature! - @ianaya89 35
Slide 36
Slide 36 text
!
HTTPS
!
2020
Security is not a feature! - @ianaya89 36
Slide 37
Slide 37 text
Security is not a feature! - @ianaya89 37
Slide 38
Slide 38 text
⬇
Actualizar Versiones
• Node.js (12.18.0 LTS)
• npm (6.14.4)
• express (4.17.1)
Security is not a feature! - @ianaya89 38
Slide 39
Slide 39 text
!
Actualizar Dependencias
• npm audit
• dependant-bot
• Snyk
Security is not a feature! - @ianaya89 39
Slide 40
Slide 40 text
!
Linter
eslint-plugin-security
Security is not a feature! - @ianaya89 40
Slide 41
Slide 41 text
!
SQL / No-SQL Injection
Security is not a feature! - @ianaya89 41
Slide 42
Slide 42 text
! ✅
SQL / No-SQL Injection
• Validar inputs en el SERVER
• Sanitizar queries
• Usar ORM / ODM
Security is not a feature! - @ianaya89 42
Slide 43
Slide 43 text
! "
SQL / No-SQL Injection
• mongoose
• sequelize
Security is not a feature! - @ianaya89 43
Slide 44
Slide 44 text
!
XSS
Security is not a feature! - @ianaya89 44
Slide 45
Slide 45 text
Security is not a feature! - @ianaya89 45
Slide 46
Slide 46 text
!✅
XSS
• Validar inputs en el SERVER
• "Encodear" output (HTML)
• Secure Response Headers
Security is not a feature! - @ianaya89 46
Slide 47
Slide 47 text
! "
XSS Headers
- HSTS
- HPKP
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Referrer-Policy
- Expect-CT
- Content-Security-Policy
Secure Headers
Security is not a feature! - @ianaya89 47
Slide 48
Slide 48 text
!"
XSS
• @hapi/joi
• express-validator
• helmet
• csurf (CSRF)
Security is not a feature! - @ianaya89 48
Slide 49
Slide 49 text
!
DoS
Security is not a feature! - @ianaya89 49
Slide 50
Slide 50 text
! ✅
DoS
• Rate limiting
• Manejo de errores
• "Crasheos" explícitos
• Validacion de Regex
• Bloqueo de Usuarios / IP
Security is not a feature! - @ianaya89 50
Slide 51
Slide 51 text
! "
DoS
• express-rate-limit (basico)
• node-rate-limiter-flexible (avanzado)
• try/cath - catch() - if (err)
• safe-regex
Security is not a feature! - @ianaya89 51
Slide 52
Slide 52 text
!
Sesiones & Tokens
Security is not a feature! - @ianaya89 52
Slide 53
Slide 53 text
! ✅
Sesiones & Tokens
• No exponer
• Expirar
• Blacklist o WhiteList
• OAUTH - OpenID
Security is not a feature! - @ianaya89 53
Slide 54
Slide 54 text
! "
Sesiones & Tokens
• jsonwebtoken
• passport
• Auth0 - Okta - Firebase
Security is not a feature! - @ianaya89 54
Slide 55
Slide 55 text
!
Passwords
Security is not a feature! - @ianaya89 55
Slide 56
Slide 56 text
Time to crack
Security is not a feature! - @ianaya89 56
Slide 57
Slide 57 text
! ✅
Passwords
• hash + salt (no usar crypto)
• Contraseñas fuertes (entropia)
• MFA
Security is not a feature! - @ianaya89 57
Slide 58
Slide 58 text
! "
Passwords
• bcrypt
• speakeasy
• Auth0 - Okta - Firebase
• Twilio
Security is not a feature! - @ianaya89 58
Slide 59
Slide 59 text
! "
Have I been pawned?
https://haveibeenpwned.com
Security is not a feature! - @ianaya89 59
Slide 60
Slide 60 text
! "
Have I been pawned?
https://haveibeenpwned.com
Security is not a feature! - @ianaya89 60
Slide 61
Slide 61 text
! "
Have I been pawned?
API & DB
Security is not a feature! - @ianaya89 61
Slide 62
Slide 62 text
!
Dev Passwords & Secrets
• CI
• Dev Tools
• Cloud
• Keys - Tokens - Secrets
Security is not a feature! - @ianaya89 62
Slide 63
Slide 63 text
! ✅
Dev Passwords & Secrets
• 1Password
• Blackbox
• GPG
• Secret Manager (AWS)
• MFA
⚠
Security is not a feature! - @ianaya89 63
Slide 64
Slide 64 text
!
Cookies
Security is not a feature! - @ianaya89 64
Slide 65
Slide 65 text
! "
Cookies Flags
• httpOnly
• secure
• SameSite
Security is not a feature! - @ianaya89 65
Slide 66
Slide 66 text
! ↩
Cookies Scoping
• domain
• path
• expires
Security is not a feature! - @ianaya89 66
Slide 67
Slide 67 text
!
Logging & Monitoring
Security is not a feature! - @ianaya89 67
Slide 68
Slide 68 text
! "
Logging & Monitoring
• winston
• express-status-monitor
Security is not a feature! - @ianaya89 68
Slide 69
Slide 69 text
! "
Logging & Monitoring
• datadog & new relic (monitoreo)
• sentry & bugsnag (errores)
• papertrail & loggly (logs)
• pingdom & checkly (status)
Security is not a feature! - @ianaya89 69
Slide 70
Slide 70 text
!
Exponer Información Sensible
Security is not a feature! - @ianaya89 70
Slide 71
Slide 71 text
Security is not a feature! - @ianaya89 71
Slide 72
Slide 72 text
! ✅
Exponer Información Sensible
Simplemente no!
Security is not a feature! - @ianaya89 72
Slide 73
Slide 73 text
Security is not a feature! - @ianaya89 73
Slide 74
Slide 74 text
!
OWASP Top 10
owasp.org
Security is not a feature! - @ianaya89 74
Slide 75
Slide 75 text
!
Recursos
• owasp.org
• WebGoat
• Web Security Basics
• MIT Computer Systems Security
• The Node.js best practices list
• Web Application Security
Security is not a feature! - @ianaya89 75
Slide 76
Slide 76 text
!
Take Away
Security is not a feature! - @ianaya89 76
Slide 77
Slide 77 text
Security is not a feature! - @ianaya89 77
Slide 78
Slide 78 text
✌
Crear una cultura de seguridad
Security is not a feature! - @ianaya89 78
Slide 79
Slide 79 text
!
Security is not a feature! - @ianaya89 79
Slide 80
Slide 80 text
!
Gracias!
!
Preguntas?
!
@ianaya89
Security is not a feature! - @ianaya89 80