Mr. IETF, Mr. W3c, members of the information security community, distinguished developers, and fellow hackers, Ben Toews and Scott Behrens present to you a state of the web security union address.
We have seen a surge of proposed standards and governing documents to improve web security. Client side flaws are being addressed by standards such as content-security-policy and IFRAME sandboxing. Data in transit is being more tightly secured using HTTP Strict Transport Security. There is a plethora of technologies available like X-frame-options, ORIGIN header, encrypted media extensions, X-XSS-Protection? We look at the intricacies of the proposed and accepted standards as well as how they are implemented. Security considerations will be addressed for these technologies from a design perspective and with a discussion on any weaknesses observed. In addition, information will be presented that breaks down which browser versions support these technologies as well as estimates of the number of users who run compatible browsers.
Developers should leave this talk with knowledge of how these security technologies work and where they can be applied. Security engineers will have a clearer understanding of these security technologies including how and when to recommend them as well as some common pitfalls associated with them.
See the feature support visualizations at http://btoe.ws/browserstats