As information security professionals, we are constantly in a race against malicious attackers who typically have the lead. However, advances in modern browser security provide developers the opportunity to become far more proactive in addressing entire classes of vulnerabilities. One technology in particular known as Content-Security Policy (CSP), has a bright future in severely crippling cross-site scripting attacks. But the roll-out and implementation of this technology will drastically change how developers design web applications.
This talk looks into what Content-Security Policy is and how it works. We will then step through a variety of metrics from popular websites, taking into considerations which sites are already using CSP and which sites may have issues implementing this technology. Some strategies will be discussed to overcome the hurdles of implementing CSP.
About our presenters:
Scott Behrens is currently employed as a Senior Security Consultant at Neohapsis and an Adjunct Professor at DePaul University. An avid coder and researcher, he has contributed to a number of open source tools for both attack and defense. Scott has presented security research at DEF CON, DerbyCon, Security Forum Hagenberg, HackMiami, Security B-sides Chicago, and ISACA events. Scott has also published security white papers for InformationWeek magazine, the Infosec Institute, and the Neohapsis blog.
Patrick Thomas is a Security Consultant with over eight years of software development experience spanning multiple technologies and domains. Patrick is the creator of BlindElephant, a remote web application fingerprinting tool, and has spoken on web application security, web malware, exploit kits, and physical security at various conferences including Black Hat USA, DEF CON, SecTor and BayThreat.