Skip to content

Details

Held at VISA in Foster City

RSVP Required with full names for building security. You must answer the RSVP question to provide your full name or your meetup name must be your full name. If not provided you won't be admitted to the building.

Agenda
6:30 - Doors Open
6:45 - Talk 1 - Secure by Default Stack: Web Application Security Infrastructure - Pritam Mungse, Visa
7:30 - Break
7:40 - Talk 2 - Research on HTTPS error storage policies, Adrienne Porter Felt, Google
8:30 - Networking
9:00 - Door Close

Pizza will be served.

Talk 1

Title: Secure by Default Stack: Web Application Security Infrastructure

The talk gives overview of various security frameworks available for web application security implementation. Then it gives details of our implementation of security infrastructure using ESAPI. We have successfully implemented safeguards against Sql Injection, XSS, file uploads, and many more. This common infrastructure is embedded into each application making the stack secure by default. This helps application developers focus more on business problems to solve rather than common security issues.

Speaker:

Pritam is Security and Platform leader at Visa focused on leading various security initiatives around web application security and data protection. He is passionate about making security implementation seamless and painless. His responsibilities at Visa include security architecture review, threat modeling and leading common security services.

Talk 2

When someone decides to ignore an HTTPS error warning, how long should the browser remember that decision? If they return to the website in five minutes, an hour, a day, or a week, should the browser show them the warning again or respect their previous decision? There is no clear industry consensus, with eight major browsers exhibiting four different HTTPS error exception storage policies.

Ideally, a browser would not ask someone about the same warning over and over again. If a user believes the warning is a false alarm, repeated warnings undermine the browser's trustworthiness without providing a security benefit. However, some people might change their mind, and we do not want one security mistake to become permanent.
We evaluated six storage policies with a large-scale, multi- month field experiment. We found substantial differences between the policies and that one of the storage policies achieved more of our goals than the rest. Google Chrome 45 adopted our proposal, and it has proved successful since deployed. Subsequently, we ran Mechanical Turk and Google Consumer Surveys to learn about user expectations for warnings. Respondents generally lacked knowledge about Chrome's new storage policy, but we remain satisfied with our proposal due to the behavioral benefits we have observed in the field.

Speaker

Adrienne Porter Felt is a security and privacy researcher at Google. Her current focus is on designing and building usable security.

She is the tech lead manager for Google Chrome's usable security team and is trying to make HTTPS adoption ubiquitous and painless for end users. She's also working on building a permissions model that will scale up for large numbers of new, rich web APIs.

Related topics

Events in Foster City, CA

You may also like