Successfully reported this slideshow.
Your SlideShare is downloading. ×

Delivering Javascript to World+Dog

Jan. 12, 2021
0 likes 32 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
SSL for SaaS Providers
SSL for SaaS Providers
Loading in …3
×

Check these out next

Caching for Cash, part 4 DPC 2009
Helgi Þormar Þorbjörnsson
Serverless security: attack & defense
SecuRing
Scott Isaacs Presentationajaxexperience (Final)
Ajax Experience 2009
Александр Сергиенко, Senior Android Developer, DataArt
Alina Vilk
How to speed up your website
VernalWeb
AWS Cost Control: Cloud Custodian
OlinData
How secure are webinar platforms?
SecuRing
5 things MySql
sarahnovotny
1 of 24 Ad

Delivering Javascript to World+Dog

Jan. 12, 2021
0 likes 32 views

Download to read offline

Internet

Black Hat USA 2017
Video https://youtu.be/37FDdXCFGX0
You've joined a startup building the next big enterprise unicorn. The product is delivered as javascript on all of your customers' websites. What could go wrong? The threat model of serving third party javascript all over the web will be reviewed. There's plenty of room for small engineering mistakes that lead to pwn-once, exploit everywhere fail. Strategies for focusing your SDL on these flaws will be discussed.

Next, defenses in key points of the delivery architecture will be explored, from the SaaS platform to CDNs to browsers. Now for the money - what does it take to convince customers to serve your code? It's a big leap of faith for customers to trust you and your arbitrary javascript on their site. The deeper their pockets are, the higher they set the bar for you throughout your architecture. What do they expect in your SDL? Finally, how do you sell this in your organization? Going beyond SDL best practices, strategies for building a product & engineering culture of protecting javascript delivery will be shared.

Black Hat USA 2017
Video https://youtu.be/37FDdXCFGX0
You've joined a startup building the next big enterprise unicorn. The product is delivered as javascript on all of your customers' websites. What could go wrong? The threat model of serving third party javascript all over the web will be reviewed. There's plenty of room for small engineering mistakes that lead to pwn-once, exploit everywhere fail. Strategies for focusing your SDL on these flaws will be discussed.

Next, defenses in key points of the delivery architecture will be explored, from the SaaS platform to CDNs to browsers. Now for the money - what does it take to convince customers to serve your code? It's a big leap of faith for customers to trust you and your arbitrary javascript on their site. The deeper their pockets are, the higher they set the bar for you throughout your architecture. What do they expect in your SDL? Finally, how do you sell this in your organization? Going beyond SDL best practices, strategies for building a product & engineering culture of protecting javascript delivery will be shared.

Internet
Advertisement

Recommended

SSL for SaaS Providers
Cloudflare
7.7k views
20 slides
Managing Traffic Spikes This Holiday Season
Cloudflare
1.4k views
32 slides
Overview of SSL: choose the option that's right for you
Cloudflare
2.6k views
18 slides
The High Performance Web Application Lifecycle
Alois Reitbauer
709 views
33 slides
How to Meet FFIEC Regulations and Protect Your Bank from Cyber Attacks
Cloudflare
2.3k views
15 slides
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Cloudflare
13k views
62 slides
Caching for Cash - Part 4
Helgi Þormar Þorbjörnsson
536 views
39 slides
Frontend Caching - The "new" frontier
Helgi Þormar Þorbjörnsson
1k views
39 slides
Advertisement

More Related Content

Slideshows for you (20)

Caching for Cash, part 4 DPC 2009
Helgi Þormar Þorbjörnsson
680 views
Serverless security: attack & defense
SecuRing
1.2k views
Scott Isaacs Presentationajaxexperience (Final)
Ajax Experience 2009
1.6k views
Александр Сергиенко, Senior Android Developer, DataArt
Alina Vilk
270 views
How to speed up your website
VernalWeb
55 views
AWS Cost Control: Cloud Custodian
OlinData
654 views
How secure are webinar platforms?
SecuRing
123 views
5 things MySql
sarahnovotny
679 views
Ieee S&P 2020 - Software Security: from Research to Industry.
Minded Security
120 views
Token Authentication in ASP.NET Core
Stormpath
2k views
Speed Kit: Getting Websites out of the Web Performance Stone Age
Felix Gessert
602 views
Top 10 Recovery as-a-Service Questions Answered
Bluelock
446 views
Its just a flesh wound
Brett Gravois
153 views
Web Crypto
karlvr
321 views
MongoDB Launchpad 2016: Moving Cybersecurity to the Cloud
MongoDB
919 views
Altitude SF 2017: Security at the edge
Fastly
2.1k views
Tulsa tech fest 2010 - web speed and scalability
Jason Ragsdale
626 views
Keep the Web Fast
Chris Fetherston
776 views
Scaling Security in the Cloud With Open Source
CloudVillage
4k views
Altitude San Francisco 2018: HTTP/2 Tales: Discovery and Woe
Fastly
315 views
Caching for Cash, part 4 DPC 2009
Helgi Þormar Þorbjörnsson
680 views
40 slides
Serverless security: attack & defense
SecuRing
1.2k views
63 slides
Scott Isaacs Presentationajaxexperience (Final)
Ajax Experience 2009
1.6k views
15 slides
Александр Сергиенко, Senior Android Developer, DataArt
Alina Vilk
270 views
8 slides
How to speed up your website
VernalWeb
55 views
14 slides
AWS Cost Control: Cloud Custodian
OlinData
654 views
15 slides

Similar to Delivering Javascript to World+Dog (20)

AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
Amazon Web Services
2.2k views
Mike MacCana - Deploying your JS app in 2018
OdessaJS Conf
176 views
Improving password-based authentication
Frank Denis
1.8k views
A real-life account of moving 100% to a public cloud
Julien SIMON
1.9k views
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...
Jan Löffler
1.3k views
A Managed Platform Will Change Your Business
WP Engine
959 views
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
206 views
Optimizing website performance
Publisto Ltd.
285 views
Jan 2008 Allup
llangit
728 views
Bootstrapping - Session 1 - Your First Week with Amazon EC2
Amazon Web Services
5.3k views
109. Arquitecturas Escalables con GX
GeneXus
520 views
Gruntwork Executive Summary
Yevgeniy Brikman
10.4k views
It's a Dangerous World
MongoDB
764 views
How to Migrate your Startup to AWS
Amazon Web Services
1.7k views
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
196 views
Web Speed And Scalability
Jason Ragsdale
788 views
Scaling Marketplace to 10,000 Add-Ons - Arun Bhalla
Atlassian
1.2k views
Speed Up WordPress Websites - Part 1 - WordPress Cairo Meetup
Ahmed Mohammed Nagdy
422 views
Web performance optimization
Kaliop-slide
1.7k views
Hilfe, wir brauchen ein Frontend
open knowledge GmbH
572 views
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
Amazon Web Services
2.2k views
62 slides
Mike MacCana - Deploying your JS app in 2018
OdessaJS Conf
176 views
22 slides
Improving password-based authentication
Frank Denis
1.8k views
53 slides
A real-life account of moving 100% to a public cloud
Julien SIMON
1.9k views
25 slides
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...
Jan Löffler
1.3k views
58 slides
A Managed Platform Will Change Your Business
WP Engine
959 views
23 slides
Advertisement

Recently uploaded (20)

Unit-IV EMR b.sc II sem 2022.pptx
anjalatchi
2 views
wirelessnetworks-ppt-140909071911-phpapp02.pdf
kouyepwanko
2 views
docker
Muhammad Herwindra Berlian
2 views
Trends That Will Drive the Future of Mobile Apps.pdf
Alakmalak Technologies Pvt. Ltd.
2 views
Research and Publication Information.pptx
anjalatchi
0 views
Welcome address for lamp lighting ceremony.pptx
anjalatchi
6 views
ns.project.pptx
PrincePatel272012
1 view
6.Translation Procedure
ThinTmNguyn4
2 views
World cancer day celebrated with Dnip Care.pptx
anjalatchi
0 views
Notes.pptx
FaisalMisbah2
3 views
How-to-Build-a-Career-in-AI.pdf
Dustin Liu
25 views
oc ppt 2.pptx
1520lakshyagupta
3 views
Unit 18-2.pptx
Sagunlohala1
2 views
Hidraulica II.pdf
CondoriRusbell
0 views
REUSABLE DEVICES.pptx
anjalatchi
0 views
World health day 7.4.2022.pptx
anjalatchi
2 views
Cybersecurity
BernardinoMelgar1
3 views
WORLD TUBERCULOSIS DAY 2023 AWARENESS.pptx
anjalatchi
2 views
S05.s2-Preparación para la PC1 (material) 2022 marzo.docx
AntonyTarazonaPielag
5 views
ConnectPath Introduction
CloudHesive
4 views
Unit-IV EMR b.sc II sem 2022.pptx
anjalatchi
2 views
99 slides
wirelessnetworks-ppt-140909071911-phpapp02.pdf
kouyepwanko
2 views
23 slides
docker
Muhammad Herwindra Berlian
2 views
4 slides
Trends That Will Drive the Future of Mobile Apps.pdf
Alakmalak Technologies Pvt. Ltd.
2 views
1 slide
Research and Publication Information.pptx
anjalatchi
0 views
18 slides
Welcome address for lamp lighting ceremony.pptx
anjalatchi
6 views
17 slides

Delivering Javascript to World+Dog

  1. 1. Delivering Javascript to World+Dog
  2. 2. Background Enterprise SaaS Third party javascript Functional Spec Include JS on site, increase biz What could go wrong?
  3. 3. The Problem Javascript - delivering code + data in one Browser can’t always tell the difference 3rd party js - Hack once, pwn everywhere
  4. 4. Real-World Example
  5. 5. Threat Model Pwn any of these to have your Gigya moment • Customer • App admin • App developer • AWS Admin • CDN developer or admin • CDN • DNS • Staging • Vuln in payload
  6. 6. Humans - the Weakest Link Even after you get your shizz together, your customers won’t
  7. 7. Humans - the Weakest Link Startup developers want to move fast, unencumbered by big company bureaucracy. They ship code daily. More access means less headaches getting their job done. Least Privilege Managing Secrets
  8. 8. Good- modern password best practices Better - 2FA Best - SAML SSO Enterprise SaaS Authentication
  9. 9. Safely Creating Business Value No custom js Output encode everything
  10. 10. Absolutely minimize attack surface Log, publish HMAC of builds HTTPS build fn HTTPS to stage bucket HTTPS to CDN Third Party Library Management Building and Staging
  11. 11. CDN HTTPS everywhere Minimize admins Logging Change Management SSO, 2FA
  12. 12. HTTPS everywhere Have a backup ready DNS CAA Secure DNS? DNS
  13. 13. TLS Cert Transparency Pinning Pinning Preload HTTP2 Server Push SHA-2 certs Update ciphersuites regularly
  14. 14. Browser Cookies, HTML5 Local Storage Data will be scrutinized and tampered with Integrity checks first Don’t store sensitive data
  15. 15. HTTP2 - no need to bundle Server Push Long lived connections Colliding with Performance Load first on page TLS latency TLS tuning Can’t break up javascript Can’t break up data
  16. 16. CSP Great idea Least worst, allow unsafe Hardly any customers ask for it CSPv3?
  17. 17. Subresource Integrity Integrity Check Static Ties your hands
  18. 18. Self Hosted Not sustainable Need rigorous agile release See server side
  19. 19. Bug Bounty What finds legit high severity bugs in the JS? $1000 Bounty - Nope $5000 Bounty - Nope $10000 Bounty - ? 10k/1 week of a $300/hr consultant? Yup
  20. 20. Availability Have backup: • DNS • CDN • Origin • Build • Configuration
  21. 21. Looking Ahead Anomaly detection Privacy Insurance?
  22. 22. For More @kylerandolph about.me/kylerandolph Like this? Optimizely is Hiring! optimizely.com/careers
  23. 23. TLS is essential Javascript integrity must be ensured end-to-end Don’t give your customers the opportunity to make insecure choices Black Hat Sound Bytes
  24. 24. Delivering Javascript to World+Dog

×