practical web security - the lead developer lightening talk by junade ali
TRANSCRIPT
![Page 1: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/1.jpg)
Practical Web SecurityJunade Ali (@IcyApril)
Lead Developer at Creare, Creare are one of the UK’s largest Digital Agencies for SMEs.
![Page 2: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/2.jpg)
Creare hosts thousands of websites, facing over 2.5 million security attacks
monthly.
Until recently we did too little at a web application level.
![Page 3: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/3.jpg)
![Page 4: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/4.jpg)
Under AttackPrior to us relaunching our brand on the rooftop of Google headquarters in London, we were hit by a
large scale attack.
![Page 5: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/5.jpg)
So how did we stop it?
![Page 6: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/6.jpg)
Development Standards
• Use vulnerability scanning (WPScan, Vega, etc).
• Enforce secure development (SQL injection/XSS/CSRF protection, secure hashing with bcrypt/PBKDF2 and setting up site-wide SSL).
• OWASP Top 10• For SSL/TLS consider the SSLLabs
standards.
![Page 7: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/7.jpg)
Search WP plugins on wpvulndb.com
Finding vulnerable WordPress plugins before installation.
![Page 8: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/8.jpg)
Turning to Hosting
Web App
![Page 9: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/9.jpg)
Web Application Firewall
• If you run a web application, consider a Web Application Firewall.
• Useful in cases where you are hosting other people’s code.
• For Apache: Mod_Security• For Nginx: NAXSI• Commercial options too: Qualys, Sucuri, etc.
![Page 10: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/10.jpg)
The First Layer
Web App
WAF
![Page 11: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/11.jpg)
Not a Real Bruteforce
![Page 12: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/12.jpg)
A Real Bruteforce
![Page 13: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/13.jpg)
BruteForce Protection• Make your defence aggressive. • Block IPs which make persistent login
attempts.• On Linux: Fail2Ban• Ban repeat offenders with Recidive jail.
![Page 14: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/14.jpg)
The Second Layer
Web App
Fail2Ban
WAF
![Page 15: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/15.jpg)
Use Specialist Hosting
• Creare is migrating hosting from previous unspecialised web hosts to ones which understand the technology.
• When developing Magento or WordPress we now use specialist PaaS hosts who can offer specialised security.
![Page 16: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/16.jpg)
Hosting Added
Web App
Server Fail2Ban
WAF
![Page 17: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/17.jpg)
Make Tough Friends
![Page 18: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/18.jpg)
CloudFlare• Low cost (or free!) managed SSL. Free traffic
filtering, CDN and caching.• Pro accounts get Web Application Firewalls
for PHP, Magento, WordPress, etc.• Creare can enable CloudFlare without even
changing name servers.• Creare offers free Railgun: 143% HTML load
time improvement, 90% decrease in TTFB.
![Page 19: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/19.jpg)
Preventing Data LeaksAttempting to view a non-existent SFTP config file.
![Page 20: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/20.jpg)
SEO Benefits - RankingsA large online retailer’s Google rankings after
having their server hardened, site wide SSL and CloudFlare installed.
![Page 21: Practical Web Security - The Lead Developer Lightening Talk by Junade Ali](https://reader035.vdocument.in/reader035/viewer/2022062902/58eeff1c1a28ab372f8b4617/html5/thumbnails/21.jpg)
Slides at: ju.je/leadsec
Web App
CloudFlare
Server Fail2Ban
WAF