Advertisement
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers

Check these out next

Setting up a cost effective Application Security program from scratch by Tusn...
Setting up a cost effective Application Security program from scratch by Tusn...
OWASP Delhi
Ajax Fingerprinting Filtering Wth Mod Security2
Ajax Fingerprinting Filtering Wth Mod Security2
Aung Khant
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
OWASP
OWASP
gehad hamdy
Web Application Security
Web Application Security
Srivigneshwar R Prasad
OWASP -Top 5 Jagjit
OWASP -Top 5 Jagjit
Jagjit Singh Brar
Sql injection
Sql injection
Praneeth Perera
Overview of RateSetter web security
Overview of RateSetter web security
RateSetter
1 of 21

Lidiia 'Alice' Skalytska - Security Checklist for Web Developers

Sep. 11, 2017
Technology

Application Security considerations are best articulated in a simple and actionable form. Alice recommends using specially crafted checklists just for that. Follow Alice on Twitter: https://twitter.com/alice_kaifat

OWASP Kyiv
OWASP Kyiv
Advertisement
Advertisement
Advertisement

Recommended

Automatically detecting security vulnerabilities in WordPressAutomatically detecting security vulnerabilities in WordPress
Automatically detecting security vulnerabilities in WordPressFresh Consulting620 views21 slides
Security Testing - A complete GuideSecurity Testing - A complete Guide
Security Testing - A complete GuideBugRaptors62 views13 slides
8 must dos for a perfect privileged account management strategy8 must dos for a perfect privileged account management strategy
8 must dos for a perfect privileged account management strategyManageEngine561 views9 slides
Web Sec AuditorWeb Sec Auditor
Web Sec AuditorAung Khant190 views2 slides
IT security : Keep calm and monitor PowerShellIT security : Keep calm and monitor PowerShell
IT security : Keep calm and monitor PowerShellManageEngine1.2K views24 slides
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior202 views5 slides

More Related Content

Slideshows for you(20)

Setting up a cost effective Application Security program from scratch by Tusn...Setting up a cost effective Application Security program from scratch by Tusn...
Setting up a cost effective Application Security program from scratch by Tusn...
OWASP Delhi462 views
Ajax Fingerprinting Filtering Wth Mod Security2Ajax Fingerprinting Filtering Wth Mod Security2
Ajax Fingerprinting Filtering Wth Mod Security2
Aung Khant402 views
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior642 views
OWASPOWASP
OWASP
gehad hamdy90 views
Web Application SecurityWeb Application Security
Web Application Security
Srivigneshwar R Prasad3.2K views
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 Jagjit
Jagjit Singh Brar102 views
Sql injectionSql injection
Sql injection
Praneeth Perera112 views
Overview of RateSetter web security Overview of RateSetter web security
Overview of RateSetter web security
RateSetter515 views
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham10K views
What Should Go Into A Web Application Penetration Testing Checklist?What Should Go Into A Web Application Penetration Testing Checklist?
What Should Go Into A Web Application Penetration Testing Checklist?
Hacker Combat379 views
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham22.6K views
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham25.8K views
Abusing Google Apps and Data API: Google is My Command and Control CenterAbusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control Center
Ajin Abraham8.7K views
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injection
Secure Code Warrior405 views
Introduction to OWASPIntroduction to OWASP
Introduction to OWASP
Thomas F. "T.J." Maher Jr.959 views
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - Authentication
Secure Code Warrior346 views
Windows 8 programming with html and java scriptWindows 8 programming with html and java script
Windows 8 programming with html and java script
RTigger2.3K views
What not to do with ASP NETWhat not to do with ASP NET
What not to do with ASP NET
PsiberTech Solutions Pte Ltd325 views
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
SBWebinars211 views
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham64.7K views

Similar to Lidiia 'Alice' Skalytska - Security Checklist for Web Developers(20)

C01461422C01461422
C01461422
IOSR Journals503 views
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries1.2K views
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
Paul Gilzow740 views
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
PayPalX Developer Network3.5K views
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
Stephen de Vries3K views
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Veracode467 views
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
Nugroho Gito1.5K views
Web application security (eng)Web application security (eng)
Web application security (eng)
Anatoliy Okhotnikov794 views
Security As A ServiceSecurity As A Service
Security As A Service
Olav Tvedt598 views
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
Iron Speed513 views
7 Step Checklist for Web Application Security.pptx7 Step Checklist for Web Application Security.pptx
7 Step Checklist for Web Application Security.pptx
Probely11 views
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
SBWebinars210 views
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
Eoin Keary91 views
Mobile application security GuidelinesMobile application security Guidelines
Mobile application security Guidelines
Entersoft Security38 views
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd626 views
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 Final
Manoj Agarwal663 views
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
💻 Javier Garza5K views
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
Ben Rothke681 views
Owasp web securityOwasp web security
Owasp web security
Pankaj Kumar Sharma668 views
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys554 views
Advertisement

More from OWASP Kyiv(20)

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
OWASP Kyiv245 views
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
OWASP Kyiv197 views
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv153 views
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
OWASP Kyiv589 views
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv693 views
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101
OWASP Kyiv466 views
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
OWASP Kyiv2.4K views
Ivan Vyshnevskyi - Not So Quiet Git PushIvan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git Push
OWASP Kyiv432 views
Dima Kovalenko - Modern SSL PinningDima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
OWASP Kyiv524 views
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv362 views
Vlada Kulish - Why So Serial?Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?
OWASP Kyiv590 views
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansVlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
OWASP Kyiv343 views
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceRoman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
OWASP Kyiv815 views
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSockets
OWASP Kyiv343 views
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
OWASP Kyiv1.1K views
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
OWASP Kyiv647 views
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
OWASP Kyiv1.5K views
Vlad Styran - "Hidden" Features of the Tools We All LoveVlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All Love
OWASP Kyiv636 views
Volodymyr Ilibman - Close Look at Nyetya InvestigationVolodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya Investigation
OWASP Kyiv412 views
Ihor Bliumental - Collision CORSIhor Bliumental - Collision CORS
Ihor Bliumental - Collision CORS
OWASP Kyiv370 views

Recently uploaded(20)

Taking control of your queries with GraphQL, Alba RivasTaking control of your queries with GraphQL, Alba Rivas
Taking control of your queries with GraphQL, Alba Rivas
CzechDreamin0 views
Introduction to Custom Journey Builder Activities, Orkhan AlakbarliIntroduction to Custom Journey Builder Activities, Orkhan Alakbarli
Introduction to Custom Journey Builder Activities, Orkhan Alakbarli
CzechDreamin0 views
The CTA Mindset for Architects, Melissa Shepard & Lilith Van BiesenThe CTA Mindset for Architects, Melissa Shepard & Lilith Van Biesen
The CTA Mindset for Architects, Melissa Shepard & Lilith Van Biesen
CzechDreamin0 views
5 key ideas for robust and flexible REST API integrations with Apex, Lucian M...5 key ideas for robust and flexible REST API integrations with Apex, Lucian M...
5 key ideas for robust and flexible REST API integrations with Apex, Lucian M...
CzechDreamin0 views
20230601_FinOps_Meetup_Switzerland.pdf20230601_FinOps_Meetup_Switzerland.pdf
20230601_FinOps_Meetup_Switzerland.pdf
Wuming Zhang0 views
Why do you Need to Migrate to Salesforce Flow?, Andrew CookWhy do you Need to Migrate to Salesforce Flow?, Andrew Cook
Why do you Need to Migrate to Salesforce Flow?, Andrew Cook
CzechDreamin0 views
Effective coding approaches with Salesforce: Combining features for maximum i...Effective coding approaches with Salesforce: Combining features for maximum i...
Effective coding approaches with Salesforce: Combining features for maximum i...
CzechDreamin0 views
The Capital Stack - Mastersfund Curriculum copy.pdfThe Capital Stack - Mastersfund Curriculum copy.pdf
The Capital Stack - Mastersfund Curriculum copy.pdf
Gillian Muessig0 views
Deep Dive into Dashboard Components, David CarnesDeep Dive into Dashboard Components, David Carnes
Deep Dive into Dashboard Components, David Carnes
CzechDreamin0 views
Report & Dashboard REST API : Get your report accessible anywhere !, Romain Q...Report & Dashboard REST API : Get your report accessible anywhere !, Romain Q...
Report & Dashboard REST API : Get your report accessible anywhere !, Romain Q...
CzechDreamin0 views
GitHub Copilot: An AI Agent of Change for Civic CodersGitHub Copilot: An AI Agent of Change for Civic Coders
GitHub Copilot: An AI Agent of Change for Civic Coders
Alicia Brown0 views
STAUFFER 2012 Sewer System 120720.pptSTAUFFER 2012 Sewer System 120720.ppt
STAUFFER 2012 Sewer System 120720.ppt
shucaybcabdi0 views
Want to demo like a salesforce solution engineer?, Jasmine AshleyWant to demo like a salesforce solution engineer?, Jasmine Ashley
Want to demo like a salesforce solution engineer?, Jasmine Ashley
CzechDreamin0 views
“DEEPX’s New M1 NPU Delivers Flexibility, Accuracy, Efficiency and Performanc...“DEEPX’s New M1 NPU Delivers Flexibility, Accuracy, Efficiency and Performanc...
“DEEPX’s New M1 NPU Delivers Flexibility, Accuracy, Efficiency and Performanc...
Edge AI and Vision Alliance0 views
Real-time communication with Account Engagement (Pardot). Marketers meet deve...Real-time communication with Account Engagement (Pardot). Marketers meet deve...
Real-time communication with Account Engagement (Pardot). Marketers meet deve...
CzechDreamin0 views
Webinar - Making the business case - resources.pptxWebinar - Making the business case - resources.pptx
Webinar - Making the business case - resources.pptx
OpenAthens0 views
User adoption: The holy grail of change management, Andre van KampenUser adoption: The holy grail of change management, Andre van Kampen
User adoption: The holy grail of change management, Andre van Kampen
CzechDreamin0 views
PyCon LT .pptxPyCon LT .pptx
PyCon LT .pptx
ssuser59b75e0 views
How to Successfully Implement Revenue Cloud & What CPQ Certification May Not ...How to Successfully Implement Revenue Cloud & What CPQ Certification May Not ...
How to Successfully Implement Revenue Cloud & What CPQ Certification May Not ...
CzechDreamin0 views
The Art of Discovery – Why Requirements Matter, Pallavi AgarwalThe Art of Discovery – Why Requirements Matter, Pallavi Agarwal
The Art of Discovery – Why Requirements Matter, Pallavi Agarwal
CzechDreamin0 views
Advertisement

Lidiia 'Alice' Skalytska - Security Checklist for Web Developers

  1. Security checklist for Web Developers Lidiia ‘Alice’ Skalytska OWASP Kyiv 2017
  2. Software development lifecycle
  3. Secure Software development lifecycle
  4. Planning Analyze your application threat modeling user interface flaws data presentation flaws Usability create applications that users understand and like to use Security incident plan build security incident plan. One day, you will need it.
  5. Development / Implementation Authentication Database Input / output / validate Web Traffic Logs The 3rd party components
  6. Authentication Use Facebook / Google / etc. Login Use multi-factor authentication Implement Proper Password Strength Controls Ensure all passwords are hashed Implement Secure Password Recovery Mechanism Never write your own crypto Prevent Brute- Force Attacks
  7. Database Access control Use minimal privilege user account If you can use crypto, use it! Store backups in other place(s) Encrypt backups
  8. Input / Output / Validate Client-side and server-side input validation Always validate and encode user input before displaying Never use untrusted user input Input data is always suspect
  9. Web Traffic TLS Use TLS for the entire site Cookies Cookies must be httpOnly and secure HSTS Use HSTS responses
  10. Logs All user account management activity Every access control related events Application errors and system events Changes to application configuration settings You need readable logs (who? when? where?)
  11. The 3rd party components Libraries • internally or externally • keep them small • check vendor reputation APIs • use a special key to access • testing inputs and outputs • check vendor reputation Microservices • each microservice is separate • use JSON • use TLS
  12. Testing 1 Create a testing plan 2 Audit your design and implementation 3 Do penetration testing  4 Think like a hacker
  13. Resume Planning Development Testing
  14. Questions? Security checklist for Web Developers alice.bizarius@gmail.com securit13podcast@gmail.com http://securit13.libsyn.com/ @alice_kaifat
Advertisement