CSP: The good, the bad, and the ugly

Ilya Nesterov (Shape Security)

9:50am–10:30am Wednesday, June 21, 2017

Modern Web Essentials
Location: 212 A/B

Secondary topics: Security

Average rating:

(2.75, 4 ratings)

Rate This Session

Download slides (PDF)

Who is this presentation for?

Web application developers, DevOps engineers, and security engineers

Prerequisite knowledge

A basic understanding of the browser security model, SOP, and different attacks on web applications (XSS, CSRF, etc.)

What you'll learn

Understand the key differences between CSP levels 1,2, and 3, the definition of strict CSP and how to build one, and typical mistakes in CSP that could leave your application unprotected
Explore available tools, frameworks, and useful resources

Description

The W3C Web Application Security workgroup worked hard to establish new standards to improve web application security, such as CORS, SRI, HSTS, and HPKP. The most complicated standard is Content Security Policy (CSP), which is so complex that web application developers and DevOps teams can easily get lost when attempting to integrate it.

Ilya Nesterov helps you figure out where to start, how to do it, and which issues you might face when you want to add CSP to your web application. You’ll learn the key differences between CSP levels 1, 2 and 3, what secure CSP means, and how to build it. Ilya also discusses how to create production-ready, backward-compatible policy.

Ilya explores how the Alexa top 1 million websites have adopted CSP and show interesting patterns discovered among their policies, as well as typical mistakes and strategies to fix them. Ilya concludes with an examination of available tools and frameworks and a glimpse at the tools and frameworks we need to build to efficiently deploy CSP.

Ilya Nesterov

Shape Security

Ilya Nesterov is an engineering manager at Shape Security. Ilya also works as an independent security researcher and is a speaker on security topics. Previously, he worked at F5 Networks. His interests include modern web application security threats and countermeasures, botnets, malware infrastructure, exploits, and honeypot development. Ilya holds a master’s degree from Tomsk Polytechnic University.

Sponsorship Opportunities

For exhibition and sponsorship opportunities, email fluent@oreilly.com

Partner Opportunities

For information on trade opportunities with O'Reilly conferences, email partners@oreilly.com

Contact Us

View a complete list of Fluent contacts

©2017, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • confreg@oreilly.com