Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Report
OWASP KyivFollow
OWASP KyivSep. 11, 2017•0 likes•548 views
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Sep. 11, 2017•0 likes•548 views
Report
Technology
Application Security considerations are best articulated in a simple and actionable form. Alice recommends using specially crafted checklists just for that. Follow Alice on Twitter: https://twitter.com/alice_kaifat
OWASP KyivFollow
OWASP KyivRecommended
Automatically detecting security vulnerabilities in WordPressFresh Consulting
Security Testing - A complete GuideBugRaptors
8 must dos for a perfect privileged account management strategyManageEngine
Web Sec AuditorAung Khant
IT security : Keep calm and monitor PowerShellManageEngine
Secure Code Warrior - Remote file inclusionSecure Code Warrior
More Related Content
Slideshows for you
Setting up a cost effective Application Security program from scratch by Tusn...OWASP Delhi
Ajax Fingerprinting Filtering Wth Mod Security2Aung Khant
Secure Code Warrior - Cross site scriptingSecure Code Warrior
OWASPgehad hamdy
Web Application SecuritySrivigneshwar R Prasad
OWASP -Top 5 JagjitJagjit Singh Brar
Similar to Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
C01461422IOSR Journals
Scalable threat modelling with risk patternsStephen de Vries
Become a Security NinjaPaul Gilzow
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
Threat modeling with architectural risk patternsStephen de Vries
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
More from OWASP Kyiv
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...OWASP Kyiv
Software Supply Chain Security та компоненти з відомими вразливостямиOWASP Kyiv
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv
Threat Modeling with OWASP Threat DragonOWASP Kyiv
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...OWASP Kyiv
Vlad Styran - Cyber Security Economics 101OWASP Kyiv
Recently uploaded
Mitigating Common CloudStack Instance Deployment FailuresShapeBlue
NoSQL Database Migration Masterclass - Session 2: The Anatomy of a MigrationScyllaDB
Info Session GDSC Mepco Sechenk Chapter.pptxDURAIVIGNESHC
GDSC Final PPT.pptxDishaSharma737984
![[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf](https://cdn.slidesharecdn.com/ss_thumbnails/wc-kcdgt2023demystifyingetcdfailurescenariosforkubernetes-230819210453-e911a262-thumbnail.jpg?width=384&height=256&fit=bounds)
[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdfWilliam Caban
GDSC23 SAC - Info Session GDSC.pptxSAC
![[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf](https://cdn.slidesharecdn.com/ss_thumbnails/wc-kcdgt2023demystifyingetcdfailurescenariosforkubernetes-230819210453-e911a262-thumbnail.jpg?width=2048&height=1162&fit=bounds)
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
- Security checklist for Web Developers Lidiia ‘Alice’ Skalytska OWASP Kyiv 2017
- Software development lifecycle
- Secure Software development lifecycle
- Planning Analyze your application threat modeling user interface flaws data presentation flaws Usability create applications that users understand and like to use Security incident plan build security incident plan. One day, you will need it.
- Development / Implementation Authentication Database Input / output / validate Web Traffic Logs The 3rd party components
- Authentication Use Facebook / Google / etc. Login Use multi-factor authentication Implement Proper Password Strength Controls Ensure all passwords are hashed Implement Secure Password Recovery Mechanism Never write your own crypto Prevent Brute- Force Attacks
- Database Access control Use minimal privilege user account If you can use crypto, use it! Store backups in other place(s) Encrypt backups
- Input / Output / Validate Client-side and server-side input validation Always validate and encode user input before displaying Never use untrusted user input Input data is always suspect
- Web Traffic TLS Use TLS for the entire site Cookies Cookies must be httpOnly and secure HSTS Use HSTS responses
- Logs All user account management activity Every access control related events Application errors and system events Changes to application configuration settings You need readable logs (who? when? where?)
- The 3rd party components Libraries • internally or externally • keep them small • check vendor reputation APIs • use a special key to access • testing inputs and outputs • check vendor reputation Microservices • each microservice is separate • use JSON • use TLS
- Testing 1 Create a testing plan 2 Audit your design and implementation 3 Do penetration testing 4 Think like a hacker
- Resume Planning Development Testing
- Questions? Security checklist for Web Developers alice.bizarius@gmail.com securit13podcast@gmail.com http://securit13.libsyn.com/ @alice_kaifat