Whether we like it or not, JavaScript rules the web, so lets look at JavaScript defence in depth.
This talk will work through the following:
Overview of the current security landscape in JavaScript (client and server side).
Raising awareness within the development team and organisation.
Making sure you have the right people on your team.
What do the right people look like?
Education. How OWASP and the BSIMM Software Security Framework (SSF) can provide assistance.
Lifting your security stance doesn't have to cost a lot. Putting the practises in the right order can reduce costs by up to 100 times (fact) (draw on AgileNZ2014 talk).
Coding standards and conventions to help remove some of the "wild west" attitudes and behaviours.
Decide how you're going to do things before you do them. Making sure whole team is on the same page.
Code review
Automated and manual approaches.
Techniques for creating discipline in an inherently undisciplined language
Static code analysis. What do we have here and how much does it help?
What offerings do we currently have at our disposal and how much do they help us?
I'll walk through some of the offerings that provide insight into where our code is falling short and ideas on how we can improve the code.
Techniques and tools to assist with automating
(https://wiki.mozilla.org/Security/B2G/JavaScript_code_analysis)
(JSPrime: https://www.youtube.com/watch?v=Vk5SPGpqiLc)
Dynamic code analysis.
Design by Contract (DbC) enforcing preconditions, postconditions and invariants (ristretto-js)
Taken care of by AOP
DbC can be a pain to implement. So do it once and get it out of your code using AOP.
Testing. It can actually be fun. Let me show you how.
Automated testing. That's right, you have to write code to leverage the security API's against your System Under Test (SUT).
OWASP ZAP REST API for regression testing
Fuzzing, Injection, leveraging automation takes care of a lot of the OWASP Top 10. (http://www.bsimm.com/online/ssdl/st/?s=st3.2#st3.2)
Manually breaking things.
Demonstrate collection of web based vulnerabilities and discuss how above mentioned defense in depth practises provide mitigation.
We'll use tools such as the top rated tools by toolswatch
How your application can not only detect when it's under attack but also intelligently defend itself.
Quick overview of the AppSensor project.
Whether we like it or not, JavaScript rules the web, so lets look at JavaScript defence in depth.
This talk will work through the following:
Overview of the current security landscape in JavaScript (client and server side).
Raising awareness within the development team and organisation. Making sure you have the right people on your team. What do the right people look like? Education. How OWASP and the BSIMM Software Security Framework (SSF) can provide assistance. Lifting your security stance doesn't have to cost a lot. Putting the practises in the right order can reduce costs by up to 100 times (fact) (draw on AgileNZ2014 talk).
Coding standards and conventions to help remove some of the "wild west" attitudes and behaviours. Decide how you're going to do things before you do them. Making sure whole team is on the same page. Code review Automated and manual approaches. Techniques for creating discipline in an inherently undisciplined language Static code analysis. What do we have here and how much does it help? What offerings do we currently have at our disposal and how much do they help us? I'll walk through some of the offerings that provide insight into where our code is falling short and ideas on how we can improve the code. Techniques and tools to assist with automating (https://wiki.mozilla.org/Security/B2G/JavaScript_code_analysis) (JSPrime: https://www.youtube.com/watch?v=Vk5SPGpqiLc) Dynamic code analysis. Design by Contract (DbC) enforcing preconditions, postconditions and invariants (ristretto-js) Taken care of by AOP DbC can be a pain to implement. So do it once and get it out of your code using AOP. Testing. It can actually be fun. Let me show you how. Automated testing. That's right, you have to write code to leverage the security API's against your System Under Test (SUT). OWASP ZAP REST API for regression testing Fuzzing, Injection, leveraging automation takes care of a lot of the OWASP Top 10. (http://www.bsimm.com/online/ssdl/st/?s=st3.2#st3.2) Manually breaking things. Demonstrate collection of web based vulnerabilities and discuss how above mentioned defense in depth practises provide mitigation. We'll use tools such as the top rated tools by toolswatch
How your application can not only detect when it's under attack but also intelligently defend itself. Quick overview of the AppSensor project.