Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security: future standards and technologies

5b723186bd1e23af569bd623f193a2b9?s=47 oxdef
June 06, 2015
Programming
0
140

Web Application Security: future standards and technologies

OWASP Russia Meetup #3

5b723186bd1e23af569bd623f193a2b9?s=128

oxdef

June 06, 2015
Tweet

More Decks by oxdef

See All by oxdef
How to improve software security with OWASP open source initiatives
5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
59
Keynote at ZeroNights X (2021)
5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
19
Security Culture: Here be Hackers
5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
220
OWASP Top 10 - 2017 What’s inside?
5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
180
И разработчик станет хакером!
5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
24
Implementing Content Security Policy at a Large Scale
5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
220
Security in developer’s life: knowledge is power
5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
120
HTTPS by default - no more clear
5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
10
Content Security Policy - the panacea for XSS or placebo?
5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
120

Other Decks in Programming

See All in Programming
よりUXに近いSLI・SLOの運用による可用性の再設計
953d2907b80dd5955c561d695ea9a494?s=48 kazumanagano
3
470
Milestoner
E0e036f89c14b3e59640318eedf9670b?s=48 bkuhlmann
1
200
코드 품질 1% 올리기
354271902cd8ba2762d05b251dfa0f84?s=48 pluu
1
930
Improve Build Times in Less Time
85a1166e93654865b4dcafdafe2b2dfd?s=48 zacsweers
6
2.8k
Blazor WebAssembly – Dynamische Formulare und Inhalte in Aktion
7a33106dde82ecc65a220eaf9d131222?s=48 patrickjahr
0
150
GraphQL+KMM開発でわかったこと / What we learned from GraphQL+KMM development
E505897a79eede1a676f92740261e8f8?s=48 kubode
0
110
Kotlin 最新動向2022 #tfcon #techfeed
14c9795d267f5b85abb98ca5e8780646?s=48 ntaro
1
900
実録mruby組み込み体験
5b3338b3676d4f7091a575e584f3a4f4?s=48 coe401_
0
100
Kotlin KSP - Intro
7589a5a8fec022e8af4e46525150a291?s=48 taehwandev
1
470
Modern Web Apps with Spring Boot, Angular & TypeScript
A0aae1297a0593c1316abdcdb4131e3a?s=48 toedter
12
14k
Composing an API with Kotlin (Kotlin Dev Day 2022)
4047c64e3a1e2f81addd4ba675ddc451?s=48 zsmb
0
130
あなたの会社の古いシステム、なんとかしませんか?~システム刷新から考えるDX化への道筋とバリエーション~/webinar20220420-grapecity
Dcbf2269af2483cabf43128ad1718c11?s=48 grapecity_dev
0
130

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
238
11k
Infographics Made Easy
282d599b414022eba5096510f675b6e2?s=48 chrislema
233
17k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
212
20k
Done Done
282d599b414022eba5096510f675b6e2?s=48 chrislema
174
14k
Build The Right Thing And Hit Your Dates
016edace78ffe826f2348d1e0c504afd?s=48 maggiecrowley
19
1.1k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
29
4.3k
Why Our Code Smells
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
324
54k
Creatively Recalculating Your Daily Design Routine
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
205
10k
How To Stay Up To Date on Web Technology
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
780
250k
Designing for Performance
245cee81a9c424266e5e401d844ea881?s=48 lara
596
63k
The Mythical Team-Month
E6c6e133e74c3b83f04d2861deaa1c20?s=48 searls
208
39k
Dealing with People You Can't Stand - Big Design 2015
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
350
21k

Transcript

  1. OWASP Russia Meetup #3 Web Application Security: future standards and

    technologies
  2. None
  3. None

  4. Web Application Security Working Group The mission of the Web

    Application Security Working Group, part of the Security Activity, is to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross-origin communication. http://www.w3.org/2014/12/webappsec-charter-2015

  5. Agenda • CSP2 (very shortly) • Subresource Integrity • Referrer

    Policy • Credential Management API • Confinement with Origin Web Labels • Entry Point Regulation for Web Applications

  6. CSP2 • www.w3.org/TR/CSP2/ • nonces & hashes!!!11111 • frame-ancestors to

    replace X-Frame- Options • unsafe-redirect • The CSP HTTP Request Header • More information in violation reports

  7. CSP2 nonces Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com 'nonce- Nc3n83cn...9hc3'

    <script nonce="Nc3n83cn...9hc3"> alert("Allowed because nonce is valid.") </script>

  8. Subresource Integrity • www.w3.org/TR/SRI/ • Integrity verification via cryptographic hash

    <script src="https://example.com/example- framework.js" integrity="sha256- C6CB9UYIS9UJeq...5Twh+Y5qFQmYg=" crossorigin="anonymous"></script>
  9. None

  10. RefeRRer Policy • www.w3.org/TR/referrer-policy/ • <meta name="referrer" content="origin"> • None,

    None when downgrade, Origin Only, Origin when cross-origin, Unsafe URL

  11. Credential Management API • www.w3.org/TR/credential-management-1/ • Allow websites to more

    directly interact with the user agent’s credential manager • Help to detect sign-in via a third-party • Changing Password

  12. Password-based Sign-in navigator.credentials.get({ "types": [ "password" ] }).then( function(credential) {

    if (!credential) { // show basic form return; } if (credential.type == "PasswordCredential") { credential.send("https://example.com/login") .then(function (response) { // signin succeeded! }); } else { // See the Federated Sign-in example } });

  13. And the last... • Confinement with Origin Web Labels •

    Entry Point Regulation for Web Applications • Permissions API • Suborigin Namespaces • Mixed Content • User Interface Security Directives for Content Security Policy
  14. None

  15. Thanks! mailto:oxdef@oxdef.info