SecAppDev 2023 lecture details
From zero to hero with Content Security Policy
In this session, we identify do's and don'ts when building CSP policies for modern applications. We explore how to enable CSP with third-party content and offer a nuanced opinion on building secure CSP policies.
Tuesday June 13th, 16:00 - 17:30
Room West Wing
Download handoutsAbstract
The main feature of CSP is acting as a second line of defense against XSS. A solid CSP can prevent an existing XSS vulnerability from being exploited. But how do you write a solid CSP policy? And what about compatibility with single page applications?
In this session, we embark on a journey through the different versions of CSP, identifying the relevant parts along the way. With that knowledge, we arrive at the current best practices for building secure CSP policies. We also identify potential conflicts with modern application paradigms and illustrate how to deploy CSP in these cases.
Key takeaway
Modern best practices for building secure CSP policies, along with guidelines for deploying CSP in single page applications
Content level
Advanced
Target audience
Anyone building or securing browser-based applications (web, mobile, electron)
Prerequisites
A solid understanding of HTML and JavaScript.
Philippe De Ryck
Security Expert, Pragmatic Web Security
Expertise: Web security, API security, OAuth 2.0, OpenID Connect
Related lectures
The security model of the web
Introductory lecture by Philippe De Ryck in room Lemaire
Monday June 12th, 11:00 - 12:30
In this session, we explore how to leverage the fundamental security model of the web for security. We also explore complex attack patterns, such as CSRF, and how they impact even modern API-based applications.
Key takeaway: Understand how the browser reasons about web security, and how you can leverage this fundamental security model to secure your applications
Modern security features for web apps
Introductory lecture by Lukas Weichselbaum in room Lemaire
Wednesday June 14th, 14:00 - 15:30
Learn about new web platform security mechanisms available in web browsers that enable developers to protect their web applications from common and new web attacks.
Key takeaway: Learn how to use new web security features such as CSP3, Trusted Types, Fetch Metadata and COOP to prevent classes of prevalent & emerging web attacks
Policy-as-Code: across the tech stack
Deep-dive lecture by Abhay Bhargav in room Lemaire
Tuesday June 13th, 16:00 - 17:30
Discover Policy-as-Code (PaC) for decoupled security across the stack, covering OPA for API gateways, Kyverno for Kubernetes, Tetragon & Tracee for eBPF, and Casbin & Oso for authorization. Learn how to enhance security and compliance with PaC tools.
Key takeaway: Using Open Policy Agent (OPA) for policy management, eBPF for security detection on containerized workloads, and authorization-as-code frameworks for RBAC