How To Write Secure JavaScript Applications

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I like to start things just with an entertaining a little story about something that might be familiar familiar with all of you guys so this is a slightly exaggerated story of a death or life on the death so the lead developer says basically hey boss we've got this application it's a 1.0 the client loves it let's just send it out let's put it in the world let's get it working the manager says let me check with everyone in the company and because that's how it works and then I'll get back to you and we'll deploy if it's ready so that all hands me the next day the CTO says this huge speech this very busy buzz wordy speech about how we're going to change the world with it and he says let's launch it and Lee developer goes to the keyboard tights his commands and because we're hooked into something like Heroku he can push to github you know ironically deploy so we do that slack bought cheers everything is good so six months later we begin to work that morning and we learned that from New York Times that there's been a massive leak of credit card info all kinds of information and passwords that were poorly hash or not hashed at all slack life has also been taken over and we have to send bitcoins to get our BOTS back and of course it's also your name so people that went to the Sakai talks those are awesome just beware your stock pot is not off-limits to hackers and what happens we all freak out the world's ending people are losing their money and then you just feel like this so we're gonna go through some baby steps and teach you first we're going to talk about how security works why it matters how to think like an attacker and then we're gonna get into some really in-depth stuff in JavaScript and what you can build into your applications to make them work better work better in the sense that they'll be secure I'm doing really good in time so maybe slow down a bit so the first step is to understand the problem this is a picture from just the other day updated from information as beautiful net of the world's biggest data breaches you can see some of these on here Yahoo that was on here I mean LinkedIn is somewhere and it's like miniscule here on eBay Home Depot when you heard about the credit card information Friend Finder is more recent in MySpace all kinds of stuff here it's really a problem and these breaches cost millions of dollars I and even more on top of that incident response a survey was done by IBM and this kind of concerns esophageal courage and just making up stats in certain response costs four million dollars per breach on average among a 380 global companies they surveyed so security doesn't exactly provide money directly it's not like if I you know put some nice headers in my application that protect against bad scripts that doesn't give your company the money that it wants right then what it does is down the road it saves you potentially millions of dollars in damage reputation my customers Incident Response advanced solutions that you have had to deploy people to hire it saves you money in the long run and that's why a lot of people put it off to the side because they don't see the drunk value and at the time so we have a lot of our abilities like I said it's hard heartbleed 2014 it was living in the open SSL codebase from 2011 it was discovered in 2014 for three years anyone has a server in here that was deployed on any saw any hosting service AWS digitalocean I mean Bluehost who knows you could just arbitrarily read data off this server so I could send one command to your server and get all of the keys off your server your private keys all of that and who knows how much that was exploited I mean I'm sure government agencies around the world voiding it because they probably knew about it on hackers whatever and they just found it 2014 and they made all these pretty logos in which like oh cool we ought to do with that again but turned out others shell-shocked was a bash bug poodle was a SSL degradation SSL HTTPS we could basically say you are running an HTTP site a secure site we could degrade you to some old version of SSL that wasn't as effective that was the ghost for nobility which was a vulnerability in G let's see which is the the fundamental library on Linux computers it does everything from the open command and syscall so node if you open a file it's gonna call down into this function and it's the foundation of Linux and there's a vulnerability that allowed anyone to remotely take over your computer without any credentials on it that was a big one you may never hear about these things if you don't follow that appropriate channels but if you have all the right people on Twitter or you subscribe to Microsoft's going to really feed stuff like that you'll get it right away I'm stagefright that was that was amazing I thought this is hilarious you could send a message to someone's Android phone and this is recently in the last year and you could take over their computer in order their phone and root their phone I'm remotely and so I mean I could just get in your phone do some kind of message sending I will go into the details and have your phone it's mine at that point and that's where we get things like the dying DNS and twittering get up or down the other day that's that was millions of cable boxes that had network connections that destroyed Twitter and github DNS infrastructure or the infrastructure they use so it's really important that the people here the do IT web whatever everything we put an IP address on everything we connect to the Internet has the power to take down the world's biggest sites that people use for a lot of important things I mean yes Twitter sure it can go down but github people deploy code off github health care companies upload code off github I'm it's just it's really a frightening thing that we have all of this and of course via flash and flash and flash and flash and eventually we have WordPress in WordPress they're not bad things they just have very big code bases and they're very vulnerable this stuff the developers of those platforms aren't bad people they just have a lot to manage and that's why it's important that we think about this side so more WordPress so it's obviously a hard problem it's it's a really really hard problem vulnerabilities can be everywhere so this is a this is a not very beautiful thing I made in draw the i/o which is Google's old drawing thing that has the layers of the tcp/ip model in the OSI model which are the two networking stacks the models represent those and you can see all the protocols and services within each layer I'm I've highlighted in blue some of the more important ones ones that you deal with more often so who's in who in here is used meteor before anybody meteor it's it's a pretty cool framework DDP is the way they communicate data that's in here WebSockets his WebSockets and you've probably use them if you don't even think you have because it's like underneath everything ASCII believe it or not IRC SSL SSH all these protocols are composed of millions of lines of code in all of those have vulnerabilities and because we talk over things like HTTP we're dealing with all the properties that HTTP has so it's important to use things like SSL it's important to do things like certificate pinning where we have to make sure that people can't reverse-engineer our apps on our phones so that's the thing if you have an SSL certificate on your iOS or Android app and I can reverse engineer that certificate and basically bypass the fact that it's encrypted if you're not doing certificate pinning which is a way to disallow that I won't go into the either and those are all important things I've worked on consultant gigs and stuff around like hey guys you should be doing this pinning there's not a direct line ability but it was really easy for me to go in and just see what you're talking to back to your server and they're like nah we don't think it's a big deal right now it's like okay you can't fight them I mean you can try a little bit but then they'll just fire you but there is hope and I don't know if I have sound but Star Wars on cue epic Star Wars music who's gonna see a rogue one this December who saw the last stars movie this December did you guys like it is it good yeah ray was definitely my favorite character out of all the movies I mean I obviously was you know 10 years like not alive when the first view came out maybe longer but I watched all of them I was a big fan and she was really cool so yeah that was good that's a good movie I hope you guys see the next one so it's important that first we understand that there's a problem and secondly understand that there's a right way to do this kind of stuff there's a right way to approach security there will help us build better applications and not succumb to heartbleed and all those other terrible things so first way that's wrong is security through obscurity and that's basically when you keep your system safe because I just don't know what it is how it works they know nothing about it but I mean they don't they're always gonna something about it so that's not the right way for that to work when you see someone say we have unbreakable cryptography unbreakable security that is absolutely BS they do not there's no such thing as perfect security if someone says to buy my product for 50 million dollars that we will secure your websites with the best encryption known to man if they don't publish their source code then you know don't don't buy them that's ridiculous and if you ask any photographer that's waste parter than me about mathematical properties and crypto they'll always tell you there's a way to get around it and if if you've spent long up looking at it I mean yes maybe one day when plum computers come out we'll find a better way but who knows that day is not right now so I I don't know if this is actually a specific one but I like to I I came up with it and someone else probably came up with it but basically you just completely ignored that security is a problem and you just go about your jolly day and forget about it so yeah that's not that's also not good and it really sucks I'm telling you it really sucks to think about security sometimes because we just want to build better functionality build features build a better UI all that kind of stuff it will save you a lot no I'll show you I mean I think I've already showed you that we have honour abilities and they exist I'm going with the assumption that you guys know that people can act all the time and this is important so I'm here to tell you about how you can actually do it pretty easily so I think this is this is my opinion the preakness of the community is doing it this way so security by design is when you design it from the ground up as you build a ha plication from the phase of prototyping at a lesser amount but from the phrase of prototyping is actually production deploying to the design to be secured so that means thinking about security in the sense ok when it actually gets the play production I need to keep I need to have a ship yes I need to not show identifying information so not have these headers that tell you that your backends and PHP or know they're expressed or whatever which do exist and are off and on by default I'm keeping things like that in mind acknowledging the various can occur in code we all know that happens and some of us here may have been affected who here has had their I don't want to disclose this but if you want to who here is how the company that's been affected by a breach before yeah so it's a non-negligible people and how many people really really or how many people here dealt with the you know the QA team coming in operation seems thing like fix this or fix that anybody so nobody had the work of the dev team or the security team there like fix the vulnerabilities after they discovered them a little bit okay yes so that's that's that's one thing is that when things are discovered there's this constant dynamic between the dev team and often the security team we're like hey I found this problem go fix it and if they do that's great if they don't then you just deal with it and now is the big thing we dealt with that cisco is that the company has 172 thousand employees in the like nine of the 12 route routers in the internet the switches are on cisco hardware so over was that three-quarters of the internet runs on cisco hardware and we were responsible for breaking into our own products before the bad guys dead and so if we found something we disclosed it through the internal system and those teams would fix it we would hope they fixed it and cisco is great i had a very security culture so that was stressed and but if you're in a smaller company and the people above you or I mean below you whatever don't think that security is important and but you're telling them to fix things and then that's obviously an issue and we'll get into a little bit about that later so again maintaining prioritizing a security team either it's just one person is a good thing to do I mean thinking about how attackers will try to hurt you so that's great let's let's let's make sure I'm focus on this so the next thing is understanding the enemy and yourself I had it really not so insightful quote by son Zhu here I figured I take it out and but basically you've got these two opposing parties and you think of like black hat and white hat hackers and so this is from an old comic I I it comes up all the time you you look at black hat stuff it's probably from something you guys know more yeah III mean about the extent to which cartoons I watch was like Tom and Jerry and even that was kind of like before my time and so I'm not pretty young so winter hats whatever black hats and white hat so your black hats white hats gray hats what's all that mean so they're used to classify hackers by the motivations purpose compensation whatever and again the term hacker is like really miss it's using all different ends of ways we're now referred to refer to as security when I run the hackathon re first was students or people that want to come and build stuff that wasn't there before can be anything but in this case we're talking about people who do some kind of security okay so motivation who cares it's really helpful to understand the motivation that attackers have and that all the defenders have when they go about building systems an attacker is going to attack them it could be money powered destruction for the bad guys often for the good guys it's morality responsibility and protection of the users that they're going to try and save and not lose the information some of these things there's a gray area in between some people are different so why ATS are the people and you think of anything of NCIS because you can type on the keyboard two people are gonna talk from the keyboard at the same time we learn that from this so this this is this is what I do when I go to a bridge this is exactly what I did what you hackers are security researchers practice responsible disclosure which is when you disclose it without actually publicly disclosing it first you give it to the company bug Bonnie's Facebook gave out like 14 million dollars last year it's either 4 or 14 a lot in bug bounties they spread security awareness go back and tell your companies hey security is a problem let's think about it more that's at least do a check in our build tool or our tests that test these properties and they also maintain active Twitter accounts please if you ever want to follow security people the good guys are often always on Twitter the bad guys are on there too but the good guys the anonymous hacker is that whole group they often like to screw around and just completely Dass their accounts and do stuff like that but the good guys do have Twitter accounts so follow them don't follow me I don't I I I'm now stuck in this place where I like JavaScript and I like security and now if I tweet anything about JavaScript the security people can unfollow me if I tweet anything about security the JavaScript people are following me so I'm stuck in this weird place but there are way better people black hats this is probably one of my favorite movies of all time it's hackers from 1995 so this is where hackers in the back end the bad guys they are hacking the Gibson witches in this this movie and obviously there are these like white old like neckbeard II dude it's like no no no no no like blackhat hackers can be anybody who knows like it can be in being a cat I all know can be a dog and they can be your mom so just be aware that black hackers do this if you ever see a room with a bunch of neon lights it's probably bad guys that's from 1985 so black hats motivations are usually money which like the LinkedIn data breach they stole other credentials power North Korea and Sony you can arguably say that was for power on destruction the Ukrainian power grid were just knocked out a few months ago I mean that's a bad thing the US electric grid is in a terrible state we spend billions on research in the country working on that labs in my university and others I'm revenge hacktivists the people find me people that like to screw around this stuff just because they're doing it for the greater good um there depends they can be good or bad um so what's a vulnerability it's when you make an application do something that's not supposed to do and define them you have to understand your application and that's great for us developers those of us that can write code you're already lightyears ahead of security operations people they've never written code before if you ever go and interview for a security job a lot of times they'll ask you hey do you know how to write code and if you do that's good because when you think about it if you know if you are pen testing a sighted pen testing is penetration testing when you try and go hack in the you know some website or product and then disclose vulnerabilities if you know that this foreign feel this password login field how its implemented or can think about how it's implemented then you know what to target so you know it might not really be a great idea to go into the browser inspector and change the background color of the pages CSS to blue because that's not going to do anything I mean why would that do anything but you might start trying to fuzz or inject a lot of data into the password field and keep clicking submit until you see if you can find something so it's good to be ware wary of how things are implemented so it's good to know the application so thinking about the functionality the intended behavior so whether it's important to think intended functionality and it's ended behavior which is application used as an input this is the biggest one and what does that vacation produces output so thinking of these things are the most important things to think about when you're looking application to see if it has some sort of owner ability and I'll have all these slides online later so no worries um so it's here's an example Wikipedia versus CNN suppose that you find and authenticated that authenticated regular users can edit page content so is it a vulnerability if you think it's a vulnerability in Wikipedia raise your hand we're not seeing that anybody yes I think it'd be bad if we found that I'm not going to get political if some CNN posted an article about cats and it's someone edited that to say that the cats are now president and they're taking over the country we probably say that's a vulnerable I'm Wikipedia obviously if you're authenticated you can go and change content because that's how video works so it's good to think of things in the context of how they work attacking is a process so this step one is almost always reconnaissance investigating it investigating the head resists are sent up the code itself on the client that's looking at the state that's maintained the local storage your cookies all of those things and the flags in the cookies all stuff like that um two is develop of our nobility hypothesis and this will be repeated over and over thinking that hey I got this form field maybe I can inject it with something maybe I can do something with it I'm three is that test that four is to develop an exploit assuming you find that your tests work that kind of formalize it and distribute the code to the company and say hey I found this problem with this code base or your boss whatever and then sup fives profit get swag or protect the world and your mileage may vary on that so bug bounties often do like swag and/or money or whatever Google SCAP is like 40 grand for Android remote code execution vulnerabilities so if you find a way to hack in the Android phone without being authenticated and unreal like mine code on it then you they'll give you up to 40k in taxing does apply so somebody United calm just opened up a bug bounty program I'm in a Georgia Tech student found 20 low to mid level vulnerabilities not very big ones I mean he got about 300k worth of airline miles or so it was like it was like 100 million miles or 10 million or something ridiculous and the government just came to him the other day it's like hey you gotta pay taxes on that now so so yeah so a student you know has to come up with taxes for a 300 K of stuff so hopefully they can just take some miles but yeah you can get cool stuff by doing this so you can see this is very much like it's almost like this scientific on the scientific process of thinking about experiment I'm how do I test it and then how do I actually formalize it and then how do I go and get it to the people this last step is more the disclosing of the thing or using it to like take it over the world or like that okay I'm so injection back to is it's a it's important to understand all the input to the application like I said foreign fields are just one but we have a lot query perimeters URL path post parameters cookies Heather's follow-up loads functionality emails form fields WebSockets local browser storage there is so much here anything where you can get input into the application and back to the backend or the client depending how much logic you exposing the client that's a potential attack factor that you're going to be thinking about these things we design your app because you want to think how do I protect this how do I validate the input how do I do rate limiting things like that so you have to understand data flow to so it's important to understand if data goes from like X to Y what is it going through and how is it getting there and what are the things that's affecting along the way I mean how does the output of the page flow through the program so if you make a new Facebook post in the post on the newsfeed it displays but also in your timeline make something new is there a vulnerability whereby posting in the newsfeed something won't show up but then when someone likes it and it shows up on their feed but it runs some malicious script that you hid in the post and then they are now taking over from their account which does happen and it has happened before at Facebook and other places so now I'll actually talk about JavaScript and what it means to write secure code in JavaScript and it the modules you might want to look into and the process that kind of stuff so this is like my favorite Jeff I don't know if it's real doesn't even know if it's real raise your hand if you think it's real I mean it's like there's there's there's I there's like a really I don't know it's that's great I love that okay so I'm gonna have a little legend of what is a home showing stuff so I'll have a yellow box and link to software software is now a top-level domain whoever came up with the idea that dot coffee and dot software and all this other like crap should be tough little domains that is awful didn't never do that that's like why like I don't know when I when I got my first domain I couldn't find a jarred smith.com because you know it turns out Jerry Smith comm is also someone that does development and also the security so I was like great you know that was the best name to have so I did Jared - Smith - or - Smith net because my friend told me that Don net was the best domain name okay cool let's say that hopefully he watches this so yeah that'll be that's kind of a little show so the first one really look at command injection so it's when untrusted data is sent to an interpreter of some kind whether it be SQL in eval statement JavaScript it doesn't matter something that interprets input as part of a command or query and so it's the injection malicious code in the programmer logic like I said through SQL no SQL evals OS instructions you know like an open file in the system if you can get data across SSH and have it run and open and do some weird stuff that's also that LDAP has a lot of injection when you do security for awhile you'll realize that Windows is just a treasure trove of vulnerabilities it's so much fun to pen test it's it's a blast but you know Mac is not really like it used to be the thing and you would have if you didn't want to get a virus but now that happens all the time so I don't think anything is safe anymore and we also have refrigerators dossing people's Twitter accounts and sites oh nothing I go to the low cent talk after this they're giving a talk on hardware hardware workshop and they do IT and I talked to one of their guys about this stuff and they think security is important which i think is great so that's good good for them so command injection so how do they combat that you want to validate all you use that input on the server side not just the client side it's great to do it in the client but also you have to do it in the server before you throw it to any interpreter don't use eval I know who uses eval but set timeout uses email set interval function new function that uses eval underneath everything that goes into these needs to be sanitized honestly everything you do needs to be sanitized and then I found this really cool library called Express validator it's got a significant stars on github everything I'd post has some it's been updated within the last a year at least most of them in the last few days and with some of that trash obviously you can validate yourself too but this kind of adds some nice stuff right so cross-site scripting this one is a blast this one I really love cross-site scripting so you can basically run malicious JavaScript in the victims browser in the target application so successful XSS can steal user information cookies session IDs redirecting malicious websites download malware act on these errs behalf it goes on and on and on so mark zuckerberg a few years ago he was hacked by this guy when he told Facebook that there was a XSS vulnerability and they didn't respond they didn't handle it very well and so he's like great you know the best idea the best thing I could possibly do here and I found that vulnerability I can get like you know thousands of dollars done it's a good at the CEO of the company and take over his account that's the best idea so you did that and I don't know what they did to him but they definitely did not give him the money so that was like success there's plenty of other examples it's basically with XSS you are able to post you know think of it like a snippet feel if there's a site that takes code snippets imagine if that codes in that field would let you put a script tag in it and then when that gets displayed in a new page that script tag will load the user won't see it in imagine that script field is not instead of alert even hacked because it's the worst thing to do it's instead xmlhttprequest because that's an everything document dot cookie to George Smith comm slash command and control server and now I have your cookie I'm good my browser use a nifty Chrome extension login as you and start tweeting you know bad things about yourself so that's as easy that is and it's the only thing that will prevent that right now is sanitizing your inputs there are efforts to do automatic content contextual sanitization and I was thought it was my senior design project we essentially were able to rewrite parts of the PHP interpreter using an extension and modify all input as it comes into the application on the fly with less than 2% overhead and sanitize any input coming from the user based on the context um it works with p 3 5 & 7 but obviously no one's gonna use it because they don't install an extension that's real hard it really sucks so they're not going to do that but there's other things angular has a built in context conceptual it's escaping Django does it by default and so things are starting to pick up on that so again validate sanitize all user and put in code output it's really like if you have a Civet field and you can put HTML there and it's not supposed to be there and then the next page shows HTML you can get rid of that just by encoding those those HTML tags if you at least just escape the script less than greater then you'll be much better set appropriate hazards I'll show you essentially a second little set things that browsers now recognize how prevent XSS more automatically a chrome also has XSS auditor which filters at some amount of XSS and I'm not really going in depth until a lot of this if you do go to some of the resources at the end and look in the more this web security stuff there's lots of different classes of XSS and things like that so validation again you can use that library and setting appropriate hazards this helmet library is great I saw someone with a react library that was helmet as well um this is different this let's use all kinds of headers and your things like secure cookies and all kinds of stuff like that please use it it's simple it's an Express app it's like five lines okay weird a cross-site request forgery that's that this is kind of complicated but it's an extension of XSS where you can basically frame on top of someone's browser you can essentially what you're doing is making them click on the site underneath your page that they already have loaded in the background so if you have you know Jared Smith or Jared Michael Smith comm slash blog and they're on my blog I can put a window of Facebook behind it it's invisible and if they are authenticated at Facebook already and Facebook has a cross-site scripting vulnerability then I can make them click on post or like sin or you know send me money a bank is a good example is I can put their bank behind that and make them send money to me when they only think they're on my blog and that happens that happens all the time and it's really not an uncommon thing all of these things happen a lot and these are things that can be prevented by validating input that attackers usually starts target state changing requested for nuance of the way it works you have to target request that you can predict if you can randomize requests in a way that they can't duplicate it then this can't happen and so the way to deal with that is just include a random unpredictable token request and an ad tokens request which mutates state in this sea surf library is super popular and does it for you an express you will be vulnerable to CSRF if you have not success honorably if you don't use sea surf all it does is add a nonce which is a random token to your request no overhead and it just validates it I mean I send no overhead it's completely negligible and that will prevent CSRF because then you can't essentially make them send requests on your behalf because they can't predict what that request will be session management please please please please don't implement your own authentication mechanism people that bill ooofff and all of those things did it and spent years doing it because frankly they're a lot smarter than me and probably smarter than most of us they know what they're doing they've dealt with authentication for a long time so again developers often do implement their own authentication I hope you guys don't but just don't do that so session management is hard I mean it's cookies being stolen stuff like that um don't expose the session token' URL a few years ago actually a long time ago there's a guy named I can't remember his name he's a bunch of documentaries and he basically found one really where AT&T had the user tokens they identified them as the URL so /url and they were iterable so it was like / 1 / 2 / 3 / 4 and you could get to their page with a credit card info right there by doing that I mean he made a big deal about it he told the whole world but without something like unity or maybe you told them first whatever he went to jail and I can't renew his name he's a he's are actually pretty terrible person he's not very nice session tokens should timeout make them timeout don't have such tokens live for years it's a terrible idea and recreate them after successful login this is the standard practice always we create the math you log in and use hu HTTP for sending tokens and appropriate permissions and also use OAuth 2.0 or sam'l or some appropriate authentication some throw our libraries and JavaScript that will do this permissions you can do that in passport that's wasn't get to that's a very simple authentication library that does open all that it's very very popular and Express uses a bunch of you might already use it I mean this permissions library makes citing permission it's easy if I having to write your own logic password management they're often handled incorrectly um you can't just leave your passwords in plain text on your database obviously you obviously can't or you can't encrypt them either because if someone steals the key they can just decrypt this so why are you encrypting it that's the that's the point you can't just encrypt it you have to also you have to hash it but if you hash it with algorithms that are you know 15 years old like sha-1 then I can crack it with my laptop in like less than a second um so you need to use good hashes you also need to use salts which are essentially random tokens appended to the end that add additional protection I'm so an example is the 2012 LinkedIn breach passwords are hash but failed uses salt so when they failed uses a salt you can look up things called rainbow tables which is a mapping of hashes to passwords or since it's basically that I mean then you can crack the passwords more quicker and there's tools already do this stuff if you look up John the Ripper or a hash cat they use GPUs and do it in no time so use be critique ripped is the standard hashing algorithm it's developed and approved by cryptographers it's open source I'm in for strong passwords too and also please aware 2016 that people use two-factor off I mean like why have you not been doing that if you can prefer the TTP which are the one-time passwords or u2f which is the great and Fido you bikies it's a these things right here if you see those they get hugged lets you to use that Google if you use it use Google Authenticator for the one-time passwords or of--they if you have to you can also use SMS and but the thing is these days ATT and rise all those companies do a terrible job of validating and signing your text someone can't spoof your text and log into your Twitter account with a phone that's not yours but can make a PT or Twitter think it's your phone um that's the thing it does happen I'm so having passwords with bcrypt that's the node B crypt implementation it's other places as well I'm two factor auth this line right it's kind of all I'm really surprised that two-factor authors not really well-maintained right now maybe people just implement themselves but yeah you can use the SDKs cookies go a little bit faster on if the set cookies using the following Flags secure HP only let them be only access of HTTPS in JavaScript it should be only means that you can't do that XML HTTP requests talking about cookie because then it can't be accessed there's other ways to actually do it properly scoping is when you can do things that only lets hookie be accessed by your domain on your own website so that means that CSRF from another site can't happen so there's some permissions right there a cookie session is a wrap from cookies those are pretty good packages and the key group is the cool library for signing and verifying that cookies are the same do still exist strict mode I mean you may hate strict mode but it's really great please use it on prevent silent errors from happening helps the JavaScript and also perform optimizations you'll have to use it doesn't prevent all types of our abilities that really doesn't prevent anything explicitly security but it helps errors not fail silently information disclosure that can be a bad thing as well when you accidentally show the users or people using application too much information about it so stuff like the ex powered by Express Heather you don't disable those things often they're disabled by default but if they are enabled you should disable them since the data exposure please don't expose people's data don't let your whole entire States voter registration database just be sitting on the public internet Georgia did that and everyone in the entire state lost all of their information social security cards and everything how it's like last year and don't break users trust use SSL HTTPS it's again it's 2016 we should see a green shield and your browser free don't that's a that please do that who is not using HTTPS in their production app I mean okay I don't I know you wouldn't raise your hand I know everyone still I mean we have to talk more if you are encrypt data at rest in transit disable caching forms often that stuff gets sort of local storage which can be accessed by XSS let's encrypt free SSL Certificates why are we not doing it they're free and they're in every single browser you already use some useful tools there's something called reads hired j/s that would scan your packages for vulnerabilities automatically you can do it in your npm build scripts note security platform is super great is that they had like yesterday or one of these was that this is recent it's still being used it just adds to NPM SEO lie and you'll do live automate security tests automated tests are better than no test the best thing is doing security audits of your platform docker is great shrink wrap is good so takeaways this is the last thing I talked about takeaways acknowledge the security is worth spending time on you can see that this is a problem people deal with this we don't want this to happen I don't you guys will use our information and I don't want you to come back and tell your boss that I taught you something you didn't implement it and you come and blame me and sue me for what I did and didn't tell you understand applications to get a high-level I gave you some tools to do that just keep if you want to learn more read about it I'll have resources at the end of this that you can get them from the slides later I'm have the mindset an attacker when building and testing your systems think about not just how it's developed how you're developing it but how similar ways Hacket that helps you enforce better properties in the new security best practices that's all the thing I told you there's a lot more to there there's a lot more security stuff I gave you some the highest the biggest ones and finally go back to your companies and tell them that security is important so again if you spend more money and coffee than IT security will be hacked you deserve to be hacked so that's this great clip like that so I mean you will be hacked all right thank you if you have questions come see me afterwards you can reach me in all those places thank you [Applause]

Info

Channel: Coding Tech

Views: 108,890

Rating: undefined out of 5

Keywords: javascript, security, web security, web development

Id: BeKMbTSm7x8

Channel Id: undefined

Length: 37min 33sec (2253 seconds)

Published: Wed Nov 08 2017