Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Webappsec future standards", Taras Ivaschenko

OWASP Moscow
December 04, 2017
Technology
0
110

"Webappsec future standards", Taras Ivaschenko

OWASP Russia Meetup #3

OWASP Moscow

December 04, 2017
Tweet

More Decks by OWASP Moscow

See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
420
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
600
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
850
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
560
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
470
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
540
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
530
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
470
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
460

Other Decks in Technology

See All in Technology
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
190
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
地理情報データをデータベースに格納しよう~ GPUを活用した爆速データベース PG-Stromの紹介 ~
sakaik
1
150
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
460
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
940
Application Development WG Intro at AppDeveloperCon
salaboy
0
180
Why does continuous profiling matter to developers? #appdevelopercon
salaboy
0
180
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
560
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.1k
ハイパーパラメータチューニングって何をしているの
toridori_dev
0
140
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
270

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Adopting Sorbet at Scale
ufuk
73
9.1k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
Speed Design
sergeychernyshev
24
610
Docker and Python
trallard
40
3.1k
Making Projects Easy
brettharned
115
5.9k

Transcript

  1. OWASP Russia Meetup #3 Web Application Security: future standards and

    technologies
  2. None
  3. None

  4. Web Application Security Working Group The mission of the Web

    Application Security Working Group, part of the Security Activity, is to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross-origin communication. http://www.w3.org/2014/12/webappsec-charter-2015

  5. Agenda • CSP2 (very shortly) • Subresource Integrity • Referrer

    Policy • Credential Management API • Confinement with Origin Web Labels • Entry Point Regulation for Web Applications

  6. CSP2 • www.w3.org/TR/CSP2/ • nonces & hashes!!!11111 • frame-ancestors to

    replace X-Frame- Options • unsafe-redirect • The CSP HTTP Request Header • More information in violation reports

  7. CSP2 nonces Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com 'nonce- Nc3n83cn...9hc3'

    <script nonce="Nc3n83cn...9hc3"> alert("Allowed because nonce is valid.") </script>

  8. Subresource Integrity • www.w3.org/TR/SRI/ • Integrity verification via cryptographic hash

    <script src="https://example.com/example- framework.js" integrity="sha256- C6CB9UYIS9UJeq...5Twh+Y5qFQmYg=" crossorigin="anonymous"></script>
  9. None

  10. RefeRRer Policy • www.w3.org/TR/referrer-policy/ • <meta name="referrer" content="origin"> • None,

    None when downgrade, Origin Only, Origin when cross-origin, Unsafe URL

  11. Credential Management API • www.w3.org/TR/credential-management-1/ • Allow websites to more

    directly interact with the user agent’s credential manager • Help to detect sign-in via a third-party • Changing Password

  12. Password-based Sign-in navigator.credentials.get({ "types": [ "password" ] }).then( function(credential) {

    if (!credential) { // show basic form return; } if (credential.type == "PasswordCredential") { credential.send("https://example.com/login") .then(function (response) { // signin succeeded! }); } else { // See the Federated Sign-in example } });

  13. And the last... • Confinement with Origin Web Labels •

    Entry Point Regulation for Web Applications • Permissions API • Suborigin Namespaces • Mixed Content • User Interface Security Directives for Content Security Policy
  14. None

  15. Thanks! mailto:[email protected]