It’s 2013, and cross-site scripting is still on the OWASP top 10, ten years after it was in the number four slot on the same list. Cross-site scripting, although seemingly easy to remediate, continues to be problematic for developers, as edge cases crop up where the typical mitigation strategies are confusing. However advances in modern browser security provide developers the opportunity to become far more proactive in addressing this vulnerability class using a technology known as content-security policy (CSP). When configured and implemented correctly, CSP can severely cripple cross-site scripting attacks. Big technology companies such as Twitter, Facebook, Etsy, and Github are using this to transparently protect their end users from this common vulnerability class. This session is a combination of short micro talks and a workshop geared at getting you the tools needed to understand and implement CSP. The first microtalk will be a primer to CSP. We will break down what CSP is and provide you the tools to get started with it. The next microtalk is centered around how to sell CSP to management, and techniques to increase adoption in your organization. The final microtalk is around what the web may look like in 5 years, and how content-security policy will play a key role in mitigating increasingly potent client-side attacks.
Ian Melven - New Relic Joel Weinberger - Google - Google engineer on Chrome Security, working on CSP and other security features, and former UC Berkeley grad student and security researcher. Caleb Queern - Cyveillance Kenneth Lee - Etsy Scott Behrens - Netflix - Scott Behrens is a senior application security engineer at Netflix, security researcher, open source developer and a heavy metal drummer. Patrick Thomas - Neohapsis Garret Robinson - Mozilla