KharkivJS 2018 Information Security Practice
0 likes313 views
Viktor Turskyi discusses the importance of information security in software development, highlighting the risks often underestimated by businesses. He emphasizes practical cases, JavaScript demos, and real-life applications rather than theoretical tools or reports. Turskyi believes that understanding security enhances a developer's skills and makes the work enjoyable.
KharkivJS 2018 Information Security Practice
- 1. Viktor Turskyi Information Security Practice 2018
- 2. Viktor Turskyi ● CEO at WebbyLab ● 15 years in software development
- 3. Why I talk about security? 1. I switched to software development from IT security 2. I work with software engineers for many years and this topic is highly undercovered 3. I work with different businesses for many years and risks are highly underestimated 4. Governmental regulations (GDPR, PCI DSS etc) 5. It makes you a better software engineer 6. It is FUN!!
- 4. What I will talk about? 1. Not about OWASP (Open Web Application Security Project) Top 10 report 2. Not about security tools (metasploit, sqlmap etc) 3. Not about content security policy. 4. Only practical cases that we’ve met in real life. 5. JavaScript based demos 6. Real cases simulated in environment a. React frontend b. NodeJs backend c. Set of exploits
- 5. Overview of the existing application
- 6. Case 1: Email password recovery
- 7. Case 1: Takeaways Mongo ID predictable UUID v1 predictable (unique, but not random) UUID v4 predictable Always think about predictability of URLs (keys, etc)
- 8. Case 2: Password recovery by SMS
- 9. Case 2: Takeaways Think about bruteforce Reset actions: SMS codes CAPTCHA Codes
- 10. Case 3: File paths
- 11. Use npm audit JWT vulnerability example Check your dependencies Security is a question of trust apt update Case 3: Takeaways
- 12. Case 4: Photos upload
- 13. Case 4: Takeaways Thinks about edge cases Just know how system works
- 14. Case 5: Tweet creation
- 15. Case 5: Takeaways Do not use regex for extracting script tags Use sanitizer with tags and attrs white-listing CORS will allow you do cross domain request XSS worms issues
- 16. Case 6: HTML page parsing issue
- 17. Case 6: Takeaways Know HTML page parsing Think about data usage context
- 18. Case 7: Network risks
- 19. Case 7: Takeaways Think about communication Get the whole picture Use HTTPS everywhere
- 20. Case 8..14: Case 8: Clickjacking Case 9: Tabnapping Case 10: CSRF (cookie, basic auth) Case 11: SQL Injection (pass through ORM) Case 12: ORM Injection Case 13: Unsafe HTTPS Redirect Case 14: Target=_blank (without rel="noopener noreferrer")
- 21. What I like information security? Information security is about understanding how things work It makes you a better developer You can create more complex projects It is fun
- 22. Thank you!