With exponential growth of internet usage and impact it has for our lives nowadays the importance of security becomes extremely more and more valuable, especially if we take into account number of users with closed to zero experience in IT and with limited knowledge in security.
That means we’re as engineers who create modern applications should take responsibility to make them more robust and secure.
In this talk I’m going to explore security topic for broader developers audience and share simple but yet useful strategies, tactics and techniques to help to make applications we create more secure.
2. ● proud father
● SA in EPAM Systems
● Java is my primary programming language
● enjoying FP with Erlang/Elixir/Elm
● infected by AI disrupting power
● passionate about agile, clean code and devops
9. Economic Impact by Forbes
- From 2013 to 2015 the cyber crime costs quadrupled
- By 2019 cyber crime costs estimated to reach $2 Trillion
https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019
12. CWE/SANS Top 25
https://cwe.mitre.org, https://cwe.mitre.org/top25/index.html, SANS stands for “SysAdmin, Audit, Network and Security”, CWE stands for “Common Weakness Enumeration”
19. Least Privileges Possible
- Reduce permissions just to complete a task
- Decompose permission settings
- Keep permissions configuration actual
- Recheck before to allow privileged access
20. Secure Cookies
- Whenever possible use httpOnly flag
- Whenever possible use secure flag
- Specify expiration date
- Encrypt data inside cookies if there is no other choice
- Consider JWT token over cookies
21. Secure Connection
- Prefer HTTPS over HTTP traffic, the same w/ other protocols
- Use an actual secure transport e.g. TLS 1.3, TLS 1.2, TLS 1.1, SSL
- Consider certificate based authentication
- Avoid open redirects
23. Change Unsecure Defaults
- Change default credentials
- Change/block default admin/support/internal URLs
- Change/block software fingerprints
- Close by default opened ports
24. Trust but Verify
- Sanitize request/response
- Parameterized queries to DB or use ORMs
- Do not rely on client side only validation
- Employ CSRF token for submit requests
25. Separation of Concerns
- Single purpose deployment targets
- Least number of software dependencies
- Use Content-Security-Policy header/meta
26. Encapsulate Internals
- Never display internal errors
- Avoid usage of simple identificators
- Limit # of attempts to prevent enumerations
- Least amount of exchange data
27. Encryption
- Encrypt sensitive data at rest and in transit
- Use strong/actual encryption algorithms
- Use strong/actual hashing algorithms w/ salt for passwords
30. Find Security Bugs
- Project page https://find-sec-bugs.github.io/
- 100+ bug patterns
- Integratable with IDEs (Eclipse, IntelliJ)
- Injectable into CI/CD Pipeline (Jenkins, SonarQube, most build
tools)
31. SonarQube
- Project page https://www.sonarqube.org/
- Rules according to CWE, SANS Top 25, and OWASP Top 10
- Integratable with IDEs (Eclipse, IntelliJ)
- Injectable into CI/CD Pipeline (Jenkins, most build tools)
32. Dependency Check
- Project page
https://www.owasp.org/index.php/OWASP_Dependency_Check
- Identifies project dependencies and checks for any known,
publicly disclosed, vulnerabilities
- Integrates with build tools, Jenkins and SonarQube
33. OWASP ZAP
- Project page https://goo.gl/tPdhxO
- Provides UI, API, CLI
- Injectable into CI/CD Pipeline (Jenkins)
- Good for ad-hoc and regular scans
37. Takeaways
- Security is important
- Security is everyone's’ responsibility
- It’s really impactful across organization(s)
- There are simple steps to improve security
- Remember about weakest link of any solution e.g. human