Introduction

[00:00:00]
>> Steve Kinney: Hello, my name's Steve. I'm the head of front engineering at a company called Temporal. We're gonna talk about web security, which is unique and different above just even regular security. I mean, it has all of the tenants of regular keeping computers safe, but it gets to be on the web, right?

[00:00:18]
Look, I use the words to describe the situation. I think the web is one of those things where it's the good parts are also the squirrely parts at the same time right? We took a text document viewer that had this crazy idea that you could have words that if you clicked on them or I guess hit enter key over them would bring you to another web page and we decided what we should do with that.

[00:00:39]
We should build the world's largest distributed application platform on top of it. And there are that comes with some quirks that we're gonna find out about today. And it also has some really great parts y'all remember that period of our lives about 10 years ago, where every time you went to a restaurant to look at the menu, they wanted you to download their app right?

[00:00:58]
And that's that was annoying. And now we're back to the good old days of being able to just go and we bring all the code into our browser. The browser, technically yes it compiles JavaScript. It's a compiled language technically we can get into V8 nerdery on another day.

[00:01:15]
But it compiles all that code and runs the application on our machines, which is different than having a compiled app that you download from somewhere, so on and so forth. And that's really great for a lot of reasons, right? But it also is the scary part as well.

[00:01:30]
On top of that, even on it's best day, the web is weird, right? It is a whole bunch of random decisions made over the course of decades, some of them incredibly though through, some of them not so much, some of them kind of just ad hoc kind of put in place.

[00:01:49]
And sometimes there are sets of words that are slightly different, it mean kind of the same thing, but not quite, right? Which makes the kind of understanding the mental model of security on the web just a little bit trickier, because you kind of have to almost do a historical context as you go through it, right?

[00:02:08]
And it's also one of those things, which is very few of us would ever say hey, do you think web security is not important? Very few people would say yes, right? I think we've all seen enough really bad exploits to know that when it gets really bad it gets really bad.

[00:02:23]
And we know that on a deeply philosophical level but sometimes you got deadlines and you definitely know that you're gonna get some kind of pushback if not all the features are there. Or you didn't kind of implement the design correctly but the looming existential threat of some kind of exploit or attack seems to sometimes take backseat, right?

[00:02:50]
And part of it is that a lot of times we understand these certain things that we've been told from the very beginning, sanitize your input Inputs, great, wonderful, right? But it's a lot of times harder. You need to think holistically about what are the ways in which this application could be attacked rather than run through a checklist.

[00:03:10]
And that's kind of give you what we covered today, which is not only hey, here are some technologies and tools for making sure that bad things don't happen to you. At the same time, let's actually understand understand how this stuff works instead of just running through a checklist or just assuming your framework of choice is gonna save you, right?

[00:03:26]
You can actually think about, okay, these are ways that this application would be vulnerable. Let me think about that in my development. And at the same time, we're gonna talk about some of the trade-offs, right? There are some things where yes, by doing such and such, which we'll get to, right?

[00:03:44]
Your application will become more secure, but possibly the user experience might be compromised, or the complexity of the infrastructure that you're gonna need to pull that off is maybe untenable. Maybe you can't given the current setup, right? There are certain things about, yes, you could do this with a green filled app, but it would also be a lot of complexity and deployment.

[00:04:04]
And then not all of us work on green filled apps, right? There's some times which is this seems great. I would love to do this. I cannot for quote unquote reasons, also known as the last 15 years of everything my company's ever done, and the way that everything's laid out.

[00:04:18]
There are certain things would you like the strongest encryption algorithm in the world? Great, would you like logins to take ten minutes no, right? And so we'll kind of also talk about some of those trade offs and how that plays through as well. And, again, where this holistic thinking comes around, which is I have this joke in my team.

[00:04:38]
That most of our worst bugs, and honestly, we have not, I have been lucky so far to not be at the wrong end of any kind of massive security issue. But I feel like most bugs and most probably security issues that we've seen that are notable and we will look at case studies, it'll be great.

[00:04:58]
Are not because I don't care about these things, they're either A, I didn't even know that was a thing, or B, the place where all bugs exist, which is in a code review. We had to do it like that because such and such reason, right? And sometimes when we lack that mental model, then it's hard to understand what exactly those trade-offs are and then somebody stamps It's a code review, it gets approved, it goes out.

[00:05:21]
And then sadness happens either with an incident or just the slow burn of 1,000 issues being followed by customers, so on and so forth, right? So by having this mental model, we have the ability to get a sense of exactly what we're dealing with and understand rather than just looking can they go, no, I have to do this thing maybe you don't.

[00:05:39]
Maybe there's actually a better way to think about this and a better way to do it. And different sets of trade-offs. So most of the vulnerabilities and the technologies to solve them that we see today, it's not do this one thing and you are safe. It is kind of hey, there's three different layers of protection, right?

[00:05:57]
And maybe you can't do 100% of all of them for reasons, and those reasons will be different depending on your app, I get it. But by layering a content security policy, along with sanitization, along with certain attributes on a cookie. You can get pretty robust coverage where you maybe you don't have to do something really squirrely, so on and so forth, right?

[00:06:18]
Because those things slip through and all of a sudden, yeah, it was maybe a junior engineer team didn't really understand what a CSRF token was. And just did the most naive thing they found on stack overflow. We can kind of have those ability to kind of at least get a sense and think about what are the trade offs here.

[00:06:38]
And then at the same time, right? How do we actually structure our applications to make this stuff easier, right? And we'll kinda talk about that as we go through as well. And the kinda other piece I kind of referenced before is separating. There are things that we think we understand about origins and cookies and stuff along those lines.

[00:06:58]
There are these kinda just things we we've read in a tweet before, right, about what to do. And actually understand, which is okay, this is actually how it works, cuz it's really most times, it's not that an app was wide open when it gets exploited or attacked, it's there was some tiny little edge case.

[00:07:19]
That an attacker managed to kinda wedge themselves into and pry your application open right? Most of the attacks are somewhat sophisticated, and it's really one of those things too, which is if you are really good at security and you're doing your job incredibly well. Nobody notices because it's one of those things that you only really notice if the bad thing happens, right?

[00:07:43]
And we'll kinda see what the surface area of the bad thing is 'cause it's kinda on one hand it is sometimes tempting to be I'm a front end engineer. I it's just text files on the internet. We should be good, right? But then you also have to kind of realize at the same time that you are the front line of defense right?

[00:07:59]
That is what the user is interacting with that we could actually be the doorway into the backend systems, right? And kind of taking that incredibly seriously and also understanding that on the internet, nobody really knows who you are, right? Which is good ways and bad ways, but it means that we assume that a user is who they are because they have a certain authtoken or a cookie, right?

[00:08:24]
Should the wrong person get that, or should the person be able to simulate being that person right? Again, the keys to the castle are open. So the stuff becomes, I think, more important than we tend to think it is because I don't even have the keys to the data, I'm l you do to a certain extent, because if they get that user session, they can be that user.

[00:08:43]
And if they get your user session with admin privileges or whatever, that's a thing too. And again, just because you use your framework of choice or whatever does not mean you are safe, right? One of the things will kinda see in our time together that felt really scary, you're not safe, even if you use react.

[00:09:02]
But you can still do little innocuous things in the business logic of your code that no framework is gonna be able to save you from, right? And so hopefully what we seek to do today is to kind of train ourselves, to kind of get that effective subconscious sixth sense about this feels a little weird or I think there might be a problem here.

[00:09:25]
Then also, rather than we will have to cover some, look at this policy, so on and so forth. But we'll kinda look at it through the lens of breaking open some little simple applications, right? So we think about it from the this is how it might be exploited rather than here's a checklist of things I was told I should do on the Internet right?

[00:09:45]
So yeah, we're gonna dig in and just on a high level some of the things we're gonna cover together. We're gonna talk about some of the common vulnerabilities found in many web applications. This is a limited period of time that we get to spend together. So I try to figure out what are the kind of ones that are broadly applied everywhere, right?

[00:10:07]
So some things will always be unique to your exact situation, right? We'll talk about how to have the general policies to cover that, right? In terms of maybe if you use express, it's gonna be very different than if you use Ruby on Rails. It's very different than your backend is in go.

[00:10:21]
But the kind of principles around these are things that affect web applications writ large. We will use node and express 'cause it feels like a lingua franca. But the idea is to keep the things that apply to the widest range of situations you might face in your day to day.

[00:10:34]
At the same time we'll take a look at some of these simple applications and figure out how to break them open. I will say this again, but I'll say it now as well. For a lot of these applications, we've got a bunch of little demo examples and exercises.

[00:10:48]
A lot of them highlight a particular, either safeguard or a particular vulnerability. But I did choose to leave a whole bunch of other vulnerabilities in different examples. Was as well because most of the time, the attacks that you see are not just they just violated the CSRF token, right?

[00:11:09]
It's they use that to then launch a cross-site scripting attack to then steal a session and become a user, right? So for a lot of these demos, there are multiple ways that once you kinda get to the main thing. You can kind of explore a little bit on your own and see how much damage you can really cause.

[00:11:25]
And the other thing that I will just kinda call out as we go through some of these examples, which is if it is possible to break into an app that was meant to be secure. I have to assume that when I was making intentionally broken apps, there are probably more ways than I even initially thought, especially 'cause some of them I made a long time ago and forgot even where I hit the trapdoor.

[00:11:47]
So for a lot of these, I think if we get a chance, if you find something new and interesting as well, let's bring it up and explore it, because there are lots of different vectors for these because they are effectively not the most scary. To cure things in the world intentionally, but maybe in some novel ways that were somewhat unexpected with the way they all overlay with each other.

[00:12:07]
And the cool here, as I kinda mentioned, is to get a reasonably deep understanding right? Let me tell you as somebody who has read 10 books on this in the last month, the rabbit hole can go pretty deep right? Reasonable kind of sense of this thing that's practical in the day-to-day, right?

[00:12:25]
So we'll kinda cover, again, I said before, those common vectors. There's some weird things you can do to a Graph QL resolver that feels a little beyond this, but maybe we'll talk about it as well. But understand that so as you go in, you're I see things that I didn't see before is kind of the hope and dream that we have by the end of this.

[00:12:47]
But again, there's all set of trade-offs, right? There are certain policies which maybe, again, depending on the way that you're, maybe API is technically in a different domain. Well, you have a new set of problems then, right? Maybe login is jumping between six different micro surfaces. Yeah and maybe again, using certain, super strict settings, degrades your user experience to a point where it's this.

[00:13:11]
Yeah, what app nobody's gonna break into? One that nobody wants to use right? And so talk about some of those trade offs and the complexity costs, because, yeah. Perfect is almost definitely the enemy of the good in this case. So we'll make sure that we kinda have, it's not just do this thing cuz I was told to do it.

[00:13:28]
But it's do this thing cuz I actually understand how it works and I understand the risk reward here and I'm going to this with my eyes wide open.