'

Node.js Authentication and Data Security

Понравилась презентация – покажи это...





Слайд 0

Node.js Authentication and Data Security Tim Messerschmidt Head of Developer Relations, International Braintree #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 1


Слайд 2

That’s me 3


Слайд 3


Слайд 4

+ Braintree since 2013 #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 5

Content 1. 2. 3. 4. 5. 6. Introduction_ Well-known security threats Data Encryption Hardening Express Authentication middleware Great resources #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 6


Слайд 7

The Human Element #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 8

Top 10 Passwords 2014 1. 12345 2. password 3. 12345 4. 12345678 5. qwerty 6. 123456789 7. 1234 8. baseball 9. dragon 10.football bit.ly/1xTwYiA #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 9

Honorary Mention superman batman #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 10

Authentication & Authorization #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 11

Content 1. 2. 3. 4. 5. 6. Introduction Well-known security threats_ Data Encryption Hardening Express Authentication middleware Great resources #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 12

OWASP Top 10 bit.ly/1a3Ytvg #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 13

1. Injection #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 14

2. Broken Authentication #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 15

3. Cross-Site Scripting XSS #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 16

4. Direct Object References #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 17

5. Application Misconfigured #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 18

6. Sensitive Data Exposed #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 19

7. Access Level Control #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 20

8. Cross-site Request Forgery CSRF / XSRF #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 21

9. Vulnerable Code #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 22

10. REDIRECTS / FORWARDS #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 23

Content 1. 2. 3. 4. 5. 6. Introduction Well-known security threats Data Encryption_ Hardening Express Authentication middleware Great resources #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 24

Hashing MD5, SHA-1, SHA-2, SHA-3 #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 25

http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/


Слайд 26

ishouldnotbedoingthis arstechnica.com/security/2015/09/ashley-madison-passwords-likethisiswrong-tap-cheaters-guilt-and-denial #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 27

ishouldnotbedoingthis whyareyoudoingthis arstechnica.com/security/2015/09/ashley-madison-passwords-likethisiswrong-tap-cheaters-guilt-and-denial #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 28

ishouldnotbedoingthis whyareyoudoingthis justtryingthisout arstechnica.com/security/2015/09/ashley-madison-passwords-likethisiswrong-tap-cheaters-guilt-and-denial #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 29

ishouldnotbedoingthis whyareyoudoingthis justtryingthisout thebestpasswordever arstechnica.com/security/2015/09/ashley-madison-passwords-likethisiswrong-tap-cheaters-guilt-and-denial #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 30

Efficient Hashing crypt, scrypt, bcrypt, PBKDF2 #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 31

md5 vs bcrypt 10.000 iterations user system total MD5 0.07 0.0 0.07 bcrypt 22.23 0.08 22.31 github.com/codahale/bcrypt-ruby #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 32

abstrusegoose.com/296 http://abstrusegoose.com/296


Слайд 33

Salted Hashing algorithm(data + salt) = hash #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 34

Content 1. 2. 3. 4. 5. 6. Introduction Well-known security threats Data Encryption Hardening Express_ Authentication middleware Great resources #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 35

use strict #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 36

Regex owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 37

X-Powered-By #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 38

NODE-UUID github.com/broofa/node-uuid #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 39

HTTP Parameter Pollution GET /pay?amount=20&currency=EUR&amount=1 req.query.amount = ['20', '1']; POST amount=20&currency=EUR&amount=1 req.body.amount = ['20', '1']; #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 40

bcrypt github.com/ncb000gt/node.bcrypt.js #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 41

A bcrypt generated Hash $2a$12$YKCxqK/QRgVfIIFeUtcPSOqyVGSorr1pHy5cZKsZuuc2g97bXgotS #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 42

Generating a Hash using bcrypt bcrypt.hash('cronut', 12, function(err, hash) { // store hash }); bcrypt.compare('cronut', hash, function(err, res) { if (res === true) { // password matches } }); #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 43

CSURF github.com/expressjs/csurf #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 44

Using Csurf as middleware var csrf = require('csurf'); var csrfProtection = csrf({ cookie: false }); app.get('/form', csrfProtection, function(req, res) { res.render('form', { csrfToken: req.csrfToken() }); }); app.post('/login', csrfProtection, function(req, res) { // safe to continue }); #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 45

Using the token in your template extends layout block content h1 CSRF protection using csurf form(action="/login" method="POST") input(type="text", name="username=", value="Username") input(type="password", name="password", value="Password") input(type="hidden", name="_csrf", value="#{csrfToken}") button(type="submit") Submit #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 46

Helmet github.com/HelmetJS/Helmet #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 47

Using Helmet with default options var helmet = require(‘helmet’); app.use(helmet.noCache()); app.use(helmet.frameguard()); app.use(helmet.xssFilter()); … // .. or use the default initialization app.use(helmet()); #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 48

Helmet for Koa github.com/venables/koa-helmet #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 49

Lusca github.com/krakenjs/lusca #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 50

Applying Lusca as middleware var lusca = require('lusca'); app.use(lusca({ csrf: true, csp: { /* ... */}, xframe: 'SAMEORIGIN', p3p: 'ABCDEF', xssProtection: true })); #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 51

Lusca for Koa github.com/koajs/koa-lusca #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 52

Content 1. 2. 3. 4. 5. 6. Introduction Well-known security threats Data Encryption Hardening Express Authentication middleware_ Great resources #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 53

Types of Express Middleware 1. Application-level 2. Route-level 3. Error-handling #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 54

Writing Custom Middleware var authenticate = function(req, res, next) { // check the request and modify response }; app.get('/form', authenticate, function(req, res) { // assume that the user is authenticated } // … or use the middleware for certain routes app.use('/admin', authenticate); #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 55

Passport github.com/jaredhanson/passport #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 56

Setting up a passport strategy passport.use(new LocalStrategy(function(username, password, done) { User.findOne({ username: username }, function (err, user) { if (err) { return done(err); } if (!user) { return done(null, false, { message: 'Incorrect username.' }); } if (!user.validPassword(password)) { return done(null, false, { message: 'Incorrect password.' }); } return done(null, user); }); })); #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 57

Using Passport Strategies for Authentication // Simple authentication app.post('/login', passport.authenticate(‘local'), function(req, res) { // req.user contains the authenticated user res.redirect('/user/' + req.user.username); }); // Using redirects app.post('/login', passport.authenticate('local', { successRedirect: ‘/', failureRedirect: ‘/login’, failureFlash: true })); #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 58

NSP nodesecurity.io/tools #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 59


Слайд 60

Content 1. 2. 3. 4. 5. 6. Introduction Well-known security threats Data Encryption Hardening Express Authentication middleware Great resources_ #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 61

Passwordless Auth medium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 62

OWASP Node Goat github.com/OWASP/NodeGoat #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 63

Node Security nodesecurity.io/resources #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 64

Fast Identity Online fidoalliance.org #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 65

Security Beyond Current Mechanisms 1. Something you have 2. Something you know 3. Something you are #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 66

Favor security too much over the experience and you’ll make the website a pain to use. smashingmagazine.com/2012/10/26/password-masking-hurt-signup-form #HTML5DevConf @Braintree_Dev / @SeraAndroid


Слайд 67

Thank You! @SeraAndroid tim@getbraintree.com slideshare.com/paypal braintreepayments.com/developers


Слайд 68


×

HTML:





Ссылка: