Agile UX: do nascimento à maturidade - Agile Trends GOV 2016
TDC2016POA | Trilha Web - Agile Security
-
Upload
tdc-globalcode -
Category
Education
-
view
121 -
download
2
Transcript of TDC2016POA | Trilha Web - Agile Security
![Page 1: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/1.jpg)
Agile SecurityMindset de segurança no ambiente ágil
1
![Page 2: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/2.jpg)
Sobre nós
Waldemar Neto @waldemarnt
http://walde.co/
Jeff Stachelski @jeffhsta
https://jeffhsta.github.io/
2
![Page 3: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/3.jpg)
Agile SecurityMindset de segurança em um ambiente ágil
3
![Page 4: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/4.jpg)
Mas porque?
● Aplicação○ Pacote○ Auditoria externa○ Cloud computing
● Desenvolvimento○ Senhas fracas○ 2FA○ GPG○ Git○ Conhecimentos de autenticação
4
![Page 5: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/5.jpg)
Segurança no dia a dia
5
![Page 6: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/6.jpg)
Assinando commits com GPG
6
![Page 7: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/7.jpg)
Um pouco sobre GPG (GNU Privacy Guard)
7
![Page 8: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/8.jpg)
GIT e GPG
8
![Page 9: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/9.jpg)
Demo time
9
![Page 10: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/10.jpg)
Segredos compartilhados
10
![Page 11: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/11.jpg)
Compartilhando segredos
● pass● Vault● 1Password for teams
11
![Page 12: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/12.jpg)
Criptografando canais de comunicação
12
![Page 13: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/13.jpg)
HTTPS em todo lugar
● Hypper● Text● Transport● Protocol● Secure
13
![Page 14: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/14.jpg)
Autenticação
14
![Page 15: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/15.jpg)
Mais de um fator de autenticação
15
![Page 16: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/16.jpg)
Autenticação baseada em form
16
![Page 17: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/17.jpg)
Autenticação baseada em Token
● Basic● JWT (JSON Web Token)● OAuth2
17
![Page 18: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/18.jpg)
18
user: waldemar
password: 12345
Basic Authentication
base64Encode(user:password)
Authorization: Basic d2FsZGVtYXI6MTIzNDU2
![Page 19: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/19.jpg)
19
Json Web Token (JWT)
Header
Payload
Signature
![Page 20: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/20.jpg)
20
OAuth
![Page 21: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/21.jpg)
Senhas
21
![Page 22: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/22.jpg)
Senhas
● Senhas fracas: ○ 123456, admin ou 18061992
● Políticas de senhas● Armazenando senhas
22
![Page 23: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/23.jpg)
Vida sem senhas
23
![Page 24: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/24.jpg)
Criptografia e Hashing
24
![Page 25: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/25.jpg)
CRIPTOGRAFIA E HASHING
● Plaintext != Encoding != Encryption != Hashing != Criptografia
25
![Page 26: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/26.jpg)
Não reinvente a roda
● Bibliotecas de criptografía existentes● Algoritmos conhecidos como:
○ AES (Advanced Encryption Standard)○ RSA○ SHA512 (Secure Hash Algorithm)○ bcrypt
26
![Page 27: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/27.jpg)
Reset de senhas
27
![Page 28: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/28.jpg)
Validações
28
![Page 29: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/29.jpg)
Validação de dados de entrada
● Validar e sanitizar os dados de entrada● Sanitizar os dados de saída● Cross Site Scripting (XSS)● Injection Attacks● Uploads
29
![Page 30: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/30.jpg)
Melhoria de segurança com HTTP headers
● Content-Security-Policy● X-Content-Security-Policy● X-WebKit-CSP
30
![Page 31: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/31.jpg)
Demo
31
![Page 32: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/32.jpg)
Sessões
32
![Page 33: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/33.jpg)
Sessões
● Lembre de mim● Onde salvar status de sessão● Invalidando sessões● Cookie monster● Local Storage
33
![Page 34: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/34.jpg)
Um pouco sobre ataques
34
![Page 35: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/35.jpg)
Ataques comuns
● Clickjacking● Cross Site Request Forgery (CSRF)● Denial of Service (DoS)● Server Side Request Forgery (SSRF)● CORS
35
![Page 36: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/36.jpg)
Falhas em configurações
36
![Page 37: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/37.jpg)
Falhas em configurações
● Esqueci o debug com TRUE● Falta de Monitoramento● Principle of least privilege● Rate limiting & Captchas ● Senhas e segredos de projeto em
arquivos● Patching e Updates
37
![Page 38: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/38.jpg)
Docker
38
![Page 39: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/39.jpg)
Pontos de atenção com docker
● Origem das imagens● Automated build● Dockerfile● Least privilege● read-only
39
![Page 40: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/40.jpg)
Práticas de segurança no projeto
40
![Page 41: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/41.jpg)
Pentesting
● OWASP top 10● Ferramentas
○ OWASP Zap○ Burp Suite
● Distro Linux○ Kali Linux○ BlackArch
41
![Page 42: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/42.jpg)
CONTINUOUS SECURITY HYGIENE
● Mantenha sempre os padrões de segurança
● Segurança vs Usabilidade● Como manter essas práticas
continuamente no time?
42
![Page 43: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/43.jpg)
43
![Page 44: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/44.jpg)
Threat Modeling
44
![Page 45: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/45.jpg)
OWASP CORNUCOPIA E Elevation of Privilege
45
![Page 46: TDC2016POA | Trilha Web - Agile Security](https://reader034.fdocumentos.com/reader034/viewer/2022051507/5887ca6f1a28abeb738b5d03/html5/thumbnails/46.jpg)
Valeu!
Perguntas?
You can find nóis at @waldemarnt & @jeffhsta