Taking control of the Browser Security Model

This past weekend at the Devsigner Conference held in Portland, Oregon, Dylan Tack gave an excellent presentation entitled “Taking control of the Browser Security Model”:

Since the birth of the web, the browser security model has remained nearly static. Recent evolutions make it possible for site operators to fine-tune the security model, and enforce mandatory access controls. This session will focus on Content-Security-Policy, and other browser security features like Strict Transport Security and Public Key Pins.

47% of all web applications have a cross-site-scripting vulnerability, and this potential security flaw ranks in the top three classes of all vulnerabilities. [ White Hat Security, 2015 Website Security Statistics Report ]

A Content Security Policy is a systematic way to block these attacks, by whitelisting allowed sources of script, style, and other resources. The holy grail – blocking “unsafe-inline” code – offers the strongest defense, but can be a big surprise for front-end developers when inline scripts and styles stop working!

If you are developing for the web you need to take a look at his slide deck. If you have any questions, feel free to let let me know.

Advertisement

Author: Bruce Elgort

You’ll find this technology professor – an award-winning instructor at Clark College – working hard to inspire and challenge his students with meaningful web development and programming experiences. With a skinny vanilla latte (no foam) in hand, Bruce loves to tinker and test the boundaries of existing and emerging technologies, to then guide hungry minds through memorable, educational journeys to showcase with passion the ever-evolving innovations of society. An industry leader, Bruce is known for co-developing Elguji’s IdeaJam software, and is recognized by IBM as an ‘IBM Champion’ for being an innovative thought leader in cloud technologies.

2 thoughts on “Taking control of the Browser Security Model”

Comments are closed.

%d bloggers like this: