Atmosphere 2016 - Eugenij Safanov - Web Application Security: from reactive to proactive
•Télécharger en tant que ODP, PDF•
1 j'aime•213 vues
Security on the Web is gaining more and more attention from both sides of the fence these days. Intruders become more skillful and well equipped and enterprises try their best to be at least one step ahead. Both sides craft more sophisticated and powerful tools in a an endless arms race. How to keep up and not overwhelm yourself? Here in Kainos Smart we believe we've got an answer. This talk is both a reminder of some of the basic principles of Web application security, best practices and a tale of our journey to becoming SOC2 certified. Main focus here is how to adapt to a massive changes from a WebOps perspective.
Recommandé
Recommandé
Contenu connexe
Similaire à Atmosphere 2016 - Eugenij Safanov - Web Application Security: from reactive to proactive
Similaire à Atmosphere 2016 - Eugenij Safanov - Web Application Security: from reactive to proactive (20)
Dernier
Dernier (20)
Atmosphere 2016 - Eugenij Safanov - Web Application Security: from reactive to proactive
- 1. Web Application Security From reactive to proactive Eugenij Safonov WebOps Engineer / Scrum Master / Kainos Smart 18 May 2016
- 4. 5/24/16 4● InfoSec Confidentiality ● Access Control Systems ● Encryption ● Obscurity Integrity ● Access Logs ● Hashing Availability ● Fault-tolerance ● Redundancy ● Disaster recovery C A I
- 5. Best practices 5/24/16 5● Best practices Obscurity ● SSH ports ● Random usernames ● Non-default settings Layering ● MFA ● Network → TrueCrypt → SSH Key → OTP → sudo pass Least privilege ● Deny by default ● Disable root ● Named accounts Separation of duties ● Code reviews ● Deployment approvals ● Operations audit
- 6. Security habit loop 5/24/16 6● Habit loop Learn Communicate Celebrate Probe Automate
- 7. Habit ● Three 'R's of habit formation ● Support group ● Start small Security basics ● CIA Triad ● Best Practices Compromise ● Security vs Usability 5/24/165/24/16 77● Conclusion● Conclusion Be healthy Be secure
Notes de l'éditeur
- Less technical Inherently boring How good Parental precept Overwhelming complexity
- In many ways alike Build to do more The same as happiness Race against time Understate the risks Science of habits
- - property of a system which guarantees that data can not be disclosed to unauthorized users, processes or entities - feature guaranteeing consistency, accuracy and trustworthiness. - of data to authorized users when they need it speaks for itself. increases cost. We usually pay the most attention to this particular feature as it is the most visible for our users. - keeping personally identifiable information confidential
- security-first perspective First impression, brag, no care, weakest Onion-like Inconvenient, Reduce damage, annoying Think differently – unnecessary well messages, shiny new, block by default Missile launch, fraud and errors Separating dev/ops/qa, no single person gets absolute powers
- - positive perspecitve and best practices – good start - not a process – habit, automatic behaviour, nurse - awareness, vector, accountability, support, reward - learning careers, scrap, start small - communicate discuss, awaresness, support group. Educating – human factor, role model, encourage and condemn, not chastised - probe, formula? Fire. Assessments, pinpoint, external to stay compiant. Accountability and more green marks - celebration the most important, praise, proud, brag; but don't tell, paranoid freak. Team events , if no critical or major - automate, delegate, security checks, keep code free, enable updates. Start small with reminders and booking calendar
- We've covered all of them Along with Not to overwhelm actually advantageous to form a positive perspective. decide for themselves Exactly like health Technically possible totally Deprive of pleasures 5 years running Keeping data safe / actual functionality Makes application useful