With exponential growth of internet usage and impact it has for our lives nowadays the importance of security becomes extremely more and more valuable, especially if we take into account number of users with closed to zero experience in IT and with limited knowledge in security. That means we’re as engineers who create modern applications should take responsibility to make them more robust and secure. In this talk I’m going to explore security topic for broader developers audience and share simple but yet useful strategies, tactics and techniques to help to make applications we create more secure.

1. Web Security...
Level Up ^

2. ● proud father
● SA in EPAM Systems
● Java is my primary programming language
● enjoying FP with Erlang/Elixir/Elm
● infected by AI disrupting power
● passionate about agile, clean code and devops

3. Agenda
● Whats and Whys?
● How?
○ Guides
○ Strategies
○ Techniques
○ Tools
● Demo
● Takeaways
● References
● Q&A

4. What’s
&
Why’s

5. Projects / Context
- Customers in retail, software development, logistics
- Independent security governance
- No compliance = no go-live
- Regular audits

6. Security
=
Awareness
+
Protection

7. Security Breach Outcomes
- Ruined Reputation
- Vandalism
- Theft
- Revenue Loss
- Damaged Intellectual Property

8. https://breachlevelindex.com/

9. Economic Impact by Forbes
- From 2013 to 2015 the cyber crime costs quadrupled
- By 2019 cyber crime costs estimated to reach $2 Trillion
https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019

10. Guides

11. OWASP Top 10
https://github.com/OWASP/DevGuide, https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project

12. CWE/SANS Top 25
https://cwe.mitre.org, https://cwe.mitre.org/top25/index.html, SANS stands for “SysAdmin, Audit, Network and Security”, CWE stands for “Common Weakness Enumeration”

13. Mozilla Web Security
https://wiki.mozilla.org/Security/Guidelines/Web_Security

14. Strategies

15. Security-Aware Culture
- Security belongs to everyone
- Cultivate security awareness
- Make security fun and engaging

16. Security Concept
Document
- Track integrations
- Track protocols
- Track data flows
- Track landscapes

17. Continuous Security
- Ahead of time vulnerabilities identification
- Minimizes security risks
- Built into SDLC to reduce fix associated costs

18. Techniques

19. Least Privileges Possible
- Reduce permissions just to complete a task
- Decompose permission settings
- Keep permissions configuration actual
- Recheck before to allow privileged access

20. Secure Cookies
- Whenever possible use httpOnly flag
- Whenever possible use secure flag
- Specify expiration date
- Encrypt data inside cookies if there is no other choice
- Consider JWT token over cookies

21. Secure Connection
- Prefer HTTPS over HTTP traffic, the same w/ other protocols
- Use an actual secure transport e.g. TLS 1.3, TLS 1.2, TLS 1.1, SSL
- Consider certificate based authentication
- Avoid open redirects

22. Up-to-date Software
- Apply security patches AFAP
- Update software on continuous basis
- Keep up-to-date configuration settings

23. Change Unsecure Defaults
- Change default credentials
- Change/block default admin/support/internal URLs
- Change/block software fingerprints
- Close by default opened ports

24. Trust but Verify
- Sanitize request/response
- Parameterized queries to DB or use ORMs
- Do not rely on client side only validation
- Employ CSRF token for submit requests

25. Separation of Concerns
- Single purpose deployment targets
- Least number of software dependencies
- Use Content-Security-Policy header/meta

26. Encapsulate Internals
- Never display internal errors
- Avoid usage of simple identificators
- Limit # of attempts to prevent enumerations
- Least amount of exchange data

27. Encryption
- Encrypt sensitive data at rest and in transit
- Use strong/actual encryption algorithms
- Use strong/actual hashing algorithms w/ salt for passwords

28. Tools

29. Types
pre-commit
integration
post-deployment

30. Find Security Bugs
- Project page https://find-sec-bugs.github.io/
- 100+ bug patterns
- Integratable with IDEs (Eclipse, IntelliJ)
- Injectable into CI/CD Pipeline (Jenkins, SonarQube, most build
tools)

31. SonarQube
- Project page https://www.sonarqube.org/
- Rules according to CWE, SANS Top 25, and OWASP Top 10
- Integratable with IDEs (Eclipse, IntelliJ)
- Injectable into CI/CD Pipeline (Jenkins, most build tools)

32. Dependency Check
- Project page
https://www.owasp.org/index.php/OWASP_Dependency_Check
- Identifies project dependencies and checks for any known,
publicly disclosed, vulnerabilities
- Integrates with build tools, Jenkins and SonarQube

33. OWASP ZAP
- Project page https://goo.gl/tPdhxO
- Provides UI, API, CLI
- Injectable into CI/CD Pipeline (Jenkins)
- Good for ad-hoc and regular scans

34. BDD-Security
- Project page https://continuumsecurity.net/bdd-security/
- BDD style to define security testing
- Injectable into CI/CD Pipeline
- Leverages OWASP ZAP, SSLyze, Nessus, Cucumber

35. Carrier
- Project page https://github.com/carrier-io
- Automate Security testing
- Injectable into CI/CD Pipeline
- Does scanning of ports, SSL, Web vulnerabilities (ZAP,
Masscan, W3AF, Nikto, etc.)
- Aggregation of testing results
- Integration with ReportPortal.io

36. Demo

37. Takeaways
- Security is important
- Security is everyone's’ responsibility
- It’s really impactful across organization(s)
- There are simple steps to improve security
- Remember about weakest link of any solution e.g. human

38. References
- Web Security Basics https://goo.gl/YWKVdq
- Web Security https://lynda.com/Web_Security
- OWASP https://www.owasp.org
- DevSecOps http://www.devsecops.org/
- Source Code https://github.com/webdizz/security-shift

39. Izzet_Mustafayev@EPAM.com
@webdizz
webdizz
izzetmustafaiev
http://webdizz.name
Thanks