SecAppDev 2020 Lecture Details
The ultimate guide to Content Security Policy
Wednesday March 11, 14:00 - 15:30
Even with hardened frameworks and thorough security reviews, there's no guarantee that an application is free of XSS. In this session, I'll present different flavors of CSP, which can serve as a robust defense-in-depth mechanism against XSS.
Google is a prime target for attackers. As a result, Google has plenty of experience battling all kinds of XSS attacks. In recent years, they have successfully deployed a nonce-based CSP, one of the most misunderstood and arguably, most powerful web mitigation techniques.
This session provides an in-depth technical analysis of the effectiveness of different flavors of CSP for the many classes of XSS vulnerabilities, busting myths, and common misunderstandings, and explore the often fuzzy boundaries between hardening and mitigation techniques.
Understand how to use CSP as a robust defense-in-depth mechanism against XSS.
Anyone building, designing or securing web applications
Technical aspects of web applications (HTML, JS, HTTP) and ideally basic understanding of Content Security Policy
Staff Information Security Engineer, Google
Lukas is a staff information security engineer at Google with 10+ years of industry experience who frequently speaks at international infosec and developer conferences. He's passionate about securing web applications from common web vulnerabilities and leads the Google-wide Content Security Policy (CSP) adoption effort. Lukas also co-authored the CSP3 W3C specification and is the creator of the CSP Evaluator.
Related web security sessions
Building secure frontend web applications
One-day workshop by Jim Manico
Web security Tuesday March 10, 09:00 - 17:30
A builder's guide to API security
One-day workshop by Philippe De Ryck
Most modern applications consist of a frontend web or mobile application, backed by several API-based services. This paradigm shift from server-side page generation causes a significant impact on various security aspects. To build secure applications, developers need to be aware of these security changes, along with current best practices. This one-day workshop offers a unique in-depth perspective on modern API security.
Web security Wednesday March 11, 09:00 - 17:30
Securing web apps with modern platform features
Lecture by Lukas Weichselbaum
Web applications have historically been plagued by vulnerabilities which allow attackers to compromise the session of a logged-in user. Luckily, new security mechanisms in web browsers offer ways for developers to protect their applications
Web security Thursday March 12, 09:00 - 10:30
Lecture by Marcin Hoppe
Web security Thursday March 12, 11:00 - 12:30