Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Download to read offline

Modern apps-and-security-consideration

Download to read offline

This is a draft version of my topic submitted to JSFOO 2018

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Modern apps-and-security-consideration

  1. 1. Modern JS Apps and Security Considerations October, 2018
  2. 2. 0 About Us
  3. 3. Manish Shekhawat Senior Manager – Experience Technology (XT) Vikash Bhardwaj Director – Experience Technology (XT)
  4. 4. 4 © Copyright Publicis.Sapient | Confidential Agenda 1. State of Modern JS Apps 2. Cogs of the Modern Application System 3. Types of Flaws in System 4. Types of Vulnerabilities and Attacks 5. Finding Vulnerabilities 6. Tools to Fix Vulnerabilities 7. Security as part of System Design 8. Auditing Architecture Security 9. Demo 10. Take-aways
  5. 5. 01 State of Modern JS Apps
  6. 6. 6 © Copyright Publicis.Sapient | Confidential Modern web applications have higher user expectations of rich user experience with speedy delivery of meaningful content. Today's web apps are expected to be usable 24/7 from virtually any device or screen size. Applications must be secure, flexible, and scalable. https://docs.microsoft.com/en-us/dotnet/standard/modern-web-apps-azure-architecture/modern-web-applications-characteristics
  7. 7. ECMASCRIPT EVERYWHERE!
  8. 8. 02 Cogs of the Modern Application System
  9. 9. 9 © Copyright Publicis.Sapient | Confidential Sample Modern Universal JS Application Architecture * Delete This Page Before Circulation Message Broker API Gateway App Server
  10. 10. 03 Types of Flaws in System
  11. 11. 11 © Copyright Publicis.Sapient | Confidential  Architectural Design Flaws  Implementation Defects  Human Err! Types of Application Flaws leading to Security Breach * Delete This Page Before Circulation
  12. 12. 04 Types of Vulnerabilities and Attacks
  13. 13. 13 © Copyright Publicis.Sapient | Confidential  XSS  Click-Jacking  Expression/CSS/Attribute Injection  Directory Traversal Attack  Remote Memory Exposure  Regex DoS  Script Injection  SQL Injection  Typo-Squatting  DOM Clobbering  Information Leaks while logging Types of Attacks * Delete This Page Before Circulation
  14. 14. 05 Finding Vulnerabilities
  15. 15. 15 © Copyright Publicis.Sapient | Confidential  Npm audit  Retire.js  WPScan  OWASP Top 10  Burp Suite  OWASP ZAP API  W3AF  SAST and DAST before Build  Manual Audits  Observatory by Mozilla  Snyk  Hookish Chrome Extension Tools to find Vulnerabilities * Delete This Page Before Circulation
  16. 16. 06 Tools to Fix Vulnerabilities
  17. 17. 17 © Copyright Publicis.Sapient | Confidential  Use Linting and ‘use strict’  Encode HTML and URLs  Sanitize Inputs  JSON.parse  Whitelisting  No memory Leaks  Limiting information in Logs  Secure, HttpOnly cookies Cookies with domain scoped and for limited time  Remove unnecessary headers  Use Oauth 2.0 or 2-way Authentication with refresh tokens  Know your App – Input, Output, Behaviour in different situations  Don’t Eval Best Practices come handy * Delete This Page Before Circulation
  18. 18. 18 © Copyright Publicis.Sapient | Confidential  CSP  CSRF  HSTS  X-Frame-Options  X-XSS-Protection  X-Content-Type-Options  XSSFilters/Sanitize  React-helmet Tools of the Trade * Delete This Page Before Circulation
  19. 19. 07 Security as part of System Design
  20. 20. 20 © Copyright Publicis.Sapient | Confidential Modern Application Systems should be designed secure from ground up. Architectural design vulnerabilities should be avoided since the design phase Each Layer of the System should be made secure and should not be the SPOF for application even in case of Security Breach Architects/Developers should list down all the possible inputs and outputs within the App. Define Workflow for developers with daily touchpoint on Security run. ZAP API integration in CI/CD.
  21. 21. 08 Auditing Architecture Security
  22. 22. 22 © Copyright Publicis.Sapient | Confidential  Done by dedicated Security Experts  Involve System Architects  Methodologies  Data Flow Diagrams  Microsoft SDL – Threat Modeling Tool  Control Flow Diagrams  Cigital Threat Modeling Tool  Tools  Burp Suite  OWASP ZAP API  Manual Code Audit Audit Application Architecture Security * Delete This Page Before Circulation
  23. 23. 09 Demo
  24. 24. 10 Take-aways
  25. 25. Remember, A lot can go wrong. Security is not just a NFR of an Application. If breached, it could cost sensitive data leaks, money, jobs, brand reputation and many times the whole Business.
  26. 26. 26 © Copyright Publicis.Sapient | Confidential Include Security considerations as part of System Architecture Design. Avoid security specific flaws in Architecture as the impact of vulnerability in architecture and cost of fixing them is high.
  27. 27. Your Application should not trust anybody – Build a Pessimist, Distrustful, Skeptical Application to make it secure.
  28. 28. 28 © Copyright Publicis.Sapient | Confidential Validate and Sanitize Inputs. Encode and Encrypt data during transit.
  29. 29. Set Appropriate Headers. Don’t Leak Sensitive PII information in Logs.
  30. 30. 30 © Copyright Publicis.Sapient | Confidential Use proven libraries for session management, don’t invent one unless you are a security and session management expert
  31. 31. Think like a hacker, just don’t overdo it! Start thinking in Graphs and Trees of possible attack paths. Security Audit Checklists are limiting. Know your App inside out.
  32. 32. 32 © Copyright Publicis.Sapient | Confidential Security is not a post implementation affair. Security should be an everyday job for developers given they are equipped with best practices and tools.
  33. 33. © Copyright Publicis.Sapient | Confidential

This is a draft version of my topic submitted to JSFOO 2018

Views

Total views

26

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

0

Shares

0

Comments

0

Likes

0

×