Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Forgotten Security

479 views

Published on

We all agree security is important, but did you know how easy it is to thwart some of the most common attacks? We'll shed light on how secure application development practices can be easily overlooked. We'll learn the simple steps we can take to secure our web applications from the threat of dangerous vulnerabilities using Node.js, Express, and Angular. The best defense is a good offense. Learn to go on the offensive to protect your web apps.

Published in: Technology

Forgotten Security

  1. 1. Forgotten Security Brian Clark _clarkio
  2. 2. Casterly Rock
  3. 3. Casterly Rock
  4. 4. Deter your enemies
  5. 5. Infantry Defending against…
  6. 6. ArrowsInfantry Defending against…
  7. 7. MortarsArrowsInfantry Defending against…
  8. 8. O W A S P
  9. 9. pen eb pplication owasp.org O A P ecurity roject W S
  10. 10. Access Control
  11. 11. Authenticatio n Authorization You are who you say you are You have the required permissions for the request
  12. 12. Browser http://insecureheroes.com Server http://insecureheroes.com
  13. 13. Browser http://insecureheroes.com Server http://insecureheroes.com
  14. 14. Browser http://insecureheroes.com Server http://insecureheroes.com
  15. 15. Browser http://insecureheroes.comCookies Server http://insecureheroes.com
  16. 16. Browser http://insecureheroes.comCookies Server http://insecureheroes.com Hero: Luke
  17. 17. Demo
  18. 18. Faking Requests
  19. 19. Browser http://insecureheroes.comCookies Server http://insecureheroes.com Hero: Luke
  20. 20. Browser http://insecurehe roes.com Cookies Server http://insecureheroes.com http://clickbaity.co
  21. 21. Browser http://insecurehe roes.com Cookies Server http://insecureheroes.com http://attacker.com Attack insecureheroes.com Hero: Darth
  22. 22. Demo
  23. 23. An attack that executes a request on behalf of another authenticated user that was not intending to perform that action being requested Cross-site Request Forgery
  24. 24. Synchronizer Token Pattern Random token Unique to user and session Included as a header Validated server- side
  25. 25. https://www.npmjs.com/package/csu rf
  26. 26. https://angular.io/guide/http#security-xsrf- protection
  27. 27. Demo
  28. 28. Stealing Clicks
  29. 29. Demo
  30. 30. An attack that tricks users into clicking on content that they were not intending to click on Clickjacking
  31. 31. Clickjacking Mitigation X-FRAME-OPTIONS DENY SAMEORIGIN ALLOW-FROM: URL* *Content-Security-Policy: frame-ancestors: URL
  32. 32. https://helmetjs.github.io/
  33. 33. Demo
  34. 34. Package Management
  35. 35. https://nodesecurity.io/opensou rce
  36. 36. Demo
  37. 37. https://snyk.io
  38. 38. Demo
  39. 39. Summary Access Control Faking Requests Stealing Clicks Package Management
  40. 40. © AngularMIX All rights reserved. https://www.angularmix.com References  https://owasp.org  https://github.com/Azure-Samples/angular-cosmosdb  (branch: insecure-heroes)  https://angular.io/guide/security  https://www.npmjs.com/package/csurf  https://angular.io/guide/http#security-xsrf-protection  https://www.npmjs.com/package/helmet  https://nodesecurity.io/opensource  https://snyk.io
  41. 41. © AngularMIX All rights reserved. https://www.angularmix.com Please use EventsXD to fill out a session evaluation. Thank you! Brian Clark _clarkio

×