1
0
Fork 0
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
André Jaenisch fb318b0a8b
feat: finalise presentation
4 months ago
gimp feat: add OpenGraph metadata 5 months ago
src feat: finalise presentation 4 months ago
.gitignore feat: update build for syntax highlighting 6 months ago
README.md docs: gather ideas 6 months ago
Writing less insecure JavaScript - FOSDEM 2022.pdf feat: finalise presentation 4 months ago
devroom-full.pdf feat: finalise presentation 4 months ago
package.json feat: finalise presentation 5 months ago
yarn.lock chore: add reveal.js dependency 6 months ago

README.md

Writing less insecure JavaScript

My talk at FOSDEM 2022 JavaScript devroom.

Ideas / talking points

  • OWASP Top 10
  • Snyk Vuln DB Analysis
  • WeHackPurple
  • Big List of Naughty Strings
  • Bug Magnet
  • Security in depth
  • Threat Modelling
  • Runbooks
  • Alerts and Monitoring
  • Data flow diagram
  • Input validation
  • Output sanitization
  • Fuzzing
  • Security scanning and SAST
  • Software Architecture (repositories)
  • Frozen Factory
  • Immutability
  • Regular expressions
  • XSS
  • CSRF
  • CSP
  • SRI
  • Images and CSS as vector
  • Iframe and web extension messaging
  • Helmet for Express
  • Session hijacking
  • Cookie with http only
  • JWT protection
  • In memory vs web storage with respect to TMS
  • Session IDs
  • Web Sockets
  • Session timeouts and invalidation
  • Npm package hijack via different auth strategies
  • AuthN and AuthZ
  • SLA and Haftung
  • GDPR notification
  • Security processes ISO
  • SSH and privilege escalation
  • Firewalls and port forwarding
  • Human factor
  • 12 Factor App and secrets as environment variables in Vaults
  • Cert revocation
  • Side channel attacks
  • IFrame sandbox
  • HTTP headers for clickjacking and privileges
  • time to life for secrets
  • Information leakage on login and password forget
  • Magic links and OTP
  • Unicode confusion and bidi
  • Typosquatting
  • Gremlins VS Code extension
  • ESLint vuln plugin
  • Code complexity and KISS
  • Out-of-band verification (boss fake)
  • Phishing mails
  • Network segmentation and Raspi dropboxes
  • Darknet diaries
  • Hack the box
  • Security.md
  • Bug Bounty
  • Responsible disclosure
  • GPG and PKI
  • CISO
  • Juicy by OWASP
  • Token scanning
  • Offboarding and access revoking
  • Principle of least privilege
  • Password hashing and salting
  • HIBP