保障用戶安全：讓您的 Ibexa 應用程序堅不可摧.pdf

《保障用戶安全：讓您的 Ibexa 應用程序堅不可摧.pdf》由會員分享，可在線閱讀，更多相關《保障用戶安全：讓您的 Ibexa 應用程序堅不可摧.pdf（28頁珍藏版）》請在三個皮匠報告上搜索。

1、Keeping your users secureMaking your Ibexa application bulletproofHello,Im LucasIve been at Platform.shfor almost 7 years!I used to do technical pre-sales,but was ops before thatMy secret love is finding weird workarounds that are technically correct(the best kind of correct)He/Him/HisSenior manager

2、,OMS teamTable of contentsFramework(s)Your code and customizationsInfrastructureSecurity and youFramework(s)Updates,updates,.Update allthe things!In your OSpackage managerWhats your PHP versionComposerNode?Some tools are there to help you-Topgrade(always test before)can upgrade everything-Snyk,Aikad

3、o can scan your dependencies-composer outdated fits right in your workflowProtect endpointsDont hide,strengthen“My/admin is/admin7”Protect from path traversalRate limit endpointsConsider a WAFCachingtoo much?Too little is badBut too much is worseIbexas VCL can take care of the heavy liftingVidar has

4、 a talk about it right after mineYour codeand customizationsTokensYoure not using defaults,right?ThisTokenIsNotSoSecretChangeItWhere should you store them?Test your codeMany tools can helpStatic analysis toolsAutomated scannersPentests,bug bountiesBlackfire rocksEncourage disclosureResponsible hacke

5、rs/security.txtRewards?Escaping contentNever trust user input);DROP TABLE students;-CORS likes you,actuallyXSSUser uploadsSymfony Validator and escaperInfrastructureFirewallingMinimum exposure policyStrong passwords everywhere elseEncryption for everything internet-facingAutomated blocking(bad IPs,f

6、ail2ban)The internet of(bad)thingsUse HTTPSNot any HTTPS thoughConsider HSTSTLS 1.3Key strengthTest your certificates with SSL Labs or testssl.sh locallyScriptsYour app is a scriptYour pictures arent!Check for separationProtect uploadsStrive for read-only where you canBackupsTake them!Test them!Keep

7、 them!Restore them?Always follow the 3-2-1 ruleEncryption all the wayYes,backupsare security!DisasterrecoveryWhat have we lost?How and why?Whats the fastest way to go back online?Lets not do that againOh no,“it”happenedSecurity and youPasswordsPolicies=compromiseToo short?Youre hackedToo long?Im usi

8、ng a sticky noteHelp users help themselves!BitwardenPasskeys as alternativesChooseyour usersDo you need thatmany admins?Do editors need that many permissions?Do you have acleanup policy?Groups matterAccess managementDont use rootLog everythingCheck andcleanup processesEach user should get their own

9、accessWho can connectMore access managementUse 2FA everywhereUse SSO when you canAvoid passwords;certificates are superiorHow to connectEveryones affectedPhishing is everywhereNo one is immuneTrain your teamTrain your usersUsers are the weakest linkSecurity never stopsUpdate yourselfSecurity advisor

10、iesRead critical CVEsEducate everyoneWrite&review processesOnce youve identified a security issue that affects your application,you can react twice:“fast”with a WAF and virtual patching,and“long-term”with updating your application or its dependencies.“When you do things right,people wont be sure youve done anything at all.”一一 Cosmic entity,FuturamaIbexa CloudIncludes most of the presentationRead-only by defaultUp-to-date images by defaultCompliance certifications24/7 security escalationsSecurity out-of-the-boxThank you!Lucas StilHe/Him OMS Manager,Platform.shlucasplatform.sh