#tuto
-
In the past
- Java applets
- Servlets
- Limited connectivity
- Static pages
- Not too much threats
- Desktops
-
Today
- HTML5
- Single page apps
- RESTful architecture
- Desktops, mobile, smartwatches...
- Lots of standards (W3C)
- Just talk about W3C and le gazillion of standards
- Today we have several standards, but no pattern between browsers
- JavaScript loves the browser
- At the same time is hostile to security
- Showcase a quick example about how to override
crypto.getRandomValues
- Heartbleed
- Shellshock
- Surveillance
- Freak
- Definition of security
-
- the state of being free from danger or threat * — vocabulary.com
-
- People don't care about security
- e.g. Plain text passwords
- Handling passwords is hard
- e.g. People sending passwords in clear text
- Systems giving too many hints for passwords
- e.g. Your password must contain only letters with 6 digits
- Security vs. Usability
- Deadlines
- The majority of developers don't have enough time to think about security
- Things to keep in mind
- There's no such thing as perfect security
-
Where to get started?
- OWASP
- CWE
- NIST
-
MiTM
-
XSS
-
CSRF
-
Brute force
-
Session hijacking ...
-
How to prevent?
- Show how people would prevent these vulnerabilities
- Escaping inputs to prevent XSS
- Implementing a token per session ...
- People will see how overcomplicated it can be and figure out that Keycloak is the easy path.
- Show how people would prevent these vulnerabilities
- How to enforce SSL
- Preventing Brute force
- Other security controls on KC to protect webapps