Beyond HTTPS - HSTS, TLS, HPKP, CSP and friends


Details
Most developers know they should secure a website using HTTPS. Moving a website to HTTPS is not enough. Browser vendors have added many HTTP security headers to make HTTPS websites safer to use: HSTS, HPKP (Public Key Pinning), CSP (Content Security Policy), etc. In this session, you will learn about moving websites to HTTPS. You will also see how the security headers need to be thoroughly planned out, from the TLS versions and ciphers to support to which certificates to pin. The session will show how to leverage CSP to measure the impact of the updates before they happen, how HSTS, HPKP, and CSP can work together to ensure a safer experience for users, and how to use various tools to test and monitor all of these security headers. Speaker Biography:
Robert Hurlbut is a software security architect, developer, and trainer. Robert is a Microsoft MVP for Developer Security and holds the (ISC)2 CSSLP certification. Robert has over 30 years of industry experience in secure coding, software architecture, and software development. Robert blogs at https://roberthurlbut.com/blog and shares links and other information on Twitter at @RobertHurlbut and is a co-host of the Application Security Podcast at https://www.appsecpodcast.org

Beyond HTTPS - HSTS, TLS, HPKP, CSP and friends