Slides for the talk presented at RubyFuza & Friends 2019.
GOOD MORNINGRUBYFUZA ☕
View Slide
RUANBRANDÃOSOFTWARE ENGINEER ATMAGNETIS (WE ARE HIRING)TWITTER TIMELINE CURATOR@RUANBRANDAO/RUAN-BRANDAO
Photo by Rafaela Biazi on Unsplash
São Paulo
Paulínia - São Paulo
Pipa - Rio Grande do Norte
Made in "
CYBER ATTACKS
WEB VULNERABILITIESA FIELD GUIDE FOR
THE WEBHTTPHTTPSTLSSSLDatabasesServersCredentialsTCP/IPDNSClustersCacheBrowsers
USING COMPONENTS WITHKNOWN VULNERABILITIES
UPDATE YOUR APPLICATIONDEPENDENCIESSecurity tip #1
INJECTION‣ SQL‣ NOSQL‣ CODE‣ COMMANDS
INJECTION VULNERABILITIESALLOW ATTACKERS TO RUN CODE ONYOUR APPLICATION SERVERS
SQL INJECTION
XKCD, available at https://xkcd.com/327/
BE CAREFUL WITH THE ORDER METHOD
CODE INJECTION &COMMAND INJECTION
BE EXTRA CAREFUL WITH EVAL AND BACKTICKS
BE CAREFUL WITH CONSTANTIZE
CROSS SITESCRIPTING (XSS)
CROSS SITE SCRIPTINGALLOWS ATTACKERS TO RUN CODE ONYOUR APPLICATION USERS BROWSERS
RAILS DOES THE HARD WORK
BE CAREFUL WITH THE RAW AND HTML_SAFE
NEVER TRUST USER INPUTSecurity tip #2
BROKEN ACCESSCONTROL
BE CAREFUL WITH ACCESS TOSENSIBLE DATASecurity tip #3
BROKENAUTHENTICATION
DO NOT REINVENT THE WHEEL.UNLESS YOU REALLY, REALLY,KNOW WHAT YOU ARE DOING.Security tip #4
AND MUCH MORE…‣ CROSS-SITE REQUEST FORGERY (CSRF)‣ REMOTE CODE EXECUTION (RCE)‣ SENSITIVE DATA EXPOSURE‣ SECURITY MISCONFIGURATION
Photo by Patrick Tomasso on Unsplash
https://owasp.org
Photo by Barn Images on Unsplash
STATIC CODEANALYSIS
TOOLSSTATIC CODE ANALYSIS TOOLS
TOOLSSTATIC CODE ANALYSIS TOOLSGitHub - Available at https://github.blog/2017-10-11-a-more-connected-universe/
SECURITYSCANNERS
TOOLSSECURITY SCANNER TOOLShttp://www.arachni-scanner.com/
PENETRATION TESTS(PENTESTS)
SECURITY IS NOT A PRODUCT.SECURITY IS AN ONGOINGPROCESS.Security tip #0
THANK YOU! ❤@RUANBRANDAO/RUAN-BRANDAO