The document emphasizes the importance of web application security, discussing typical security threats and the OWASP Top 10 vulnerabilities. It offers practical tools and strategies to prevent attacks, such as adopting secure development practices, utilizing security headers, and implementing proper logging and monitoring. The authors, experienced in software development and security consulting, advocate for the integration of security education and tools in the development process.

1. SHIELDS UP!
Improving security of your web-applications
Accelerating Innovations
Konstantin Mirin <konstantin.mirin@postindustria.com>
Nikolay Baterovskiy <nikolay.baterovskiy@postindustria.com>

2. 0 2WHY LISTENING?
Understand the importance and complexity
of the apps security
Learn about typical attacks
Practical tools and techniques to prevent
these attacks
What the development process should be?
Why should you give me
30 mins of your attention?

3. 0 3WHY LISTENING?
We create software products since 2006
No security breaches ever affected our
clients
We consult startups on web and mobile
security
Background
Konstantin Mirin, CEO
Nikolay Baterovskiy, TPM
+ 89 software developers

4. 0 4WHY IS IT SO BAD?
Quick quiz
What's the best algo to hash user password?
What's the best way to prevent XSS?
What's the way to prevent CSRF?
Can you store user's role in JWT?

5. 0 5WHY IS IT SO BAD?
Quick quiz - answers
Argon2 (if you guessed bcrypt, that's not so bad)
CSP - Content Security Policy (except DOM attacks)
Origin header
Yes, as long as it is signed by the server and you
check it. But No, there are no good reasons to opt for
it instead of server-side check.

6. 0 6WHY IS IT SO BAD?
Security Complacency
Security is a comprehensive and hard topic
"Nothing bad happened last time"
"DevOps will handle it!"
"Haven't you already wrote it to be secure?"
LEAN development focuses on iterative delivery of
changes (validated learning), security is not the one
Hard to explain value of security audits
Delayed until the release -> never happens
One security breach costs A LOT more than audit and
fixes

7. 0 7OWASP TOP 10
OWASP Top 10
Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities (not very relevant for PHP)
Broken Access Control
Security Misconfiguration (server)
XSS
Insecure Deserialization
Using Components With Known Vulnerabilities
Insufficient logging and monitoring
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

8. 0 8OWASP TOP 10
SQL Injection

9. 0 9OWASP TOP 10
SQL Injection - Mitigation
Use prepared statements (PDO, Mysqli)
Validate and escape input
Use automatic scanning using sqlmap (http://sqlmap.org/)

10. 1 0OWASP TOP 10
Broken Authentication
Undetected brute-forcing
No session length limit
No multi-factor authentication or password requirements
No session ID regeneration (session fixation attack)

11. 1 1OWASP TOP 10
Sensitive Data Exposure
Plain text credit card or password data
Poorly designed encryption approach for credit cards or other
credentials (allowing them to be ever retrieved)
No in-transit encryption (ssl/tls)

12. 1 2OWASP TOP 10
Broken Access Control
Serving data without checking permissions properly
(site.com/profile/adminuser)
Relying on hidden fields or cookie as authentic source about
priviledges
Modifying data without ownership control (I update other user's
account)

13. 1 3OWASP TOP 10
Security Misconfiguration
Production server is a copy of dev (same users and access)
.git is on production server
Production contains unnecessary services (e.g. build tools)
DB user is not restricted to just necessary functions (e.g can alter
table structure, truncate records, alter stored procedures, modify
config tables etc)
Easy for developer ~= insecure
Forget default docker images with admin/admin credentials
Software patch management
AWS Inspector

14. 1 4OWASP TOP 10
Security Headers
HTTP Strict Transport Security (HSTS)
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy (CSP)
X-Permitted-Cross-Domain-Policies
Referrer-Policy
CORS:
Never use wildcard (Access-Control-Allow-Origin: *)
Only allow credentials when it's absolutely required
Only allow methods that are really used
HttpOnly Cookies (inaccessible from javascript)

15. 1 5OWASP TOP 10
XSS
Reflected XSS (site.com/<script>alert('hacked')
</script>not_found)
Stored XSS (<script>alert('hacked')</script> is stored in forum
subject field)
DOM XSS (including DOM one got using CORS query)
Escape output. And validate input. Always.
Configure CSP
default-src 'none'; script-src 'self' www.google-
analytics.com ajax.googleapis.com; connect-src 'self';
img-src 'self'; style-src 'self';

16. 1 6OWASP TOP 10
Insecure deserialization
Trusting serialized cookie contents. You should sign it.
Use JSON to carry data
Monitor deserialization exceptions. Those are potential attacks
(or bugs)
Validate data types after deserialization
Never ever eval(), especially deserialized data
Log your network traffic that has serialized data that you're
going to deserialize

17. 1 7OWASP TOP 10
Using vulnerable components
Javascript: Lighthouse security check
npm audit
php security-checker

18. 1 8OWASP TOP 10
Insufficient Logging and Monitoring
Do you log all logins, failed login attempts, profile updates and
other sensitive actions? Is there an audit trail for those
modifications (what has been changed)?
You don't store password values and credit card value without
obfuscation, do you?
Do you store all that in a secure way?
Is the logging centralized and standardized so that one can
query those logs?
Do you record time and duration? Very useful for performance
and forensic analysis.
Can those logs be tampered?
Any alerts that are triggered automatically based on logs?

19. 1 9TOOLS AND PROCESS
Development process
Education is important. Make sure every developer read and
understood OWASP top 10. This alone makes a difference.
Invest in devops who hardens your server and configures
security headers
Embrace any static code checking tool. Include in CI (you have it,
right?)
Teach your QA to use ZAP
Perform code reviews (including security aspects)
"Done" should mean that security review by any team member
was completed

20. 2 0TOOLS AND PROCESS
Tools to use
Hands and Brain. Nothing can beat it :-)
sqlmap for sql injections
OWASP ZAP for penetration testing
AWS Inspector for system scanning
Detectify or other similar service for a continuous external
scans.
ELK (Elastic, Logstash, Kibana) for extensive logging
Static code analysis (SonarQube, RIPS or phpcs-security-audit)
OWASP AppSensor or other web-app firewall
https://securityheaders.com/ to check security headers

21. 2 1CONTACT US
LIKED IT? SHARE IT!
live long and prosper
Share it! https://www.slideshare.net/konstantinmirin/
Let's connect! https://www.linkedin.com/in/konstantinmirin/
Visit us! https://postindustria.com/
Ask questions! konstantin.mirin@postindustria.com