Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Wednesday, January 25 • 2:00pm - 2:50pm
CSP: The Good, the Bad and the Ugly

Sign up or log in to save this to your schedule and see who's attending!

W3C Web Application Security workgroup worked really hard to establish new standards to improve security of web applications: CORS, SRI, HSTS, HPKP just few of them and most complicated in that family is Content Security Policy (CSP) which became so complex, so web application developers, DevOps teams could easily lost on where to start and what to do if they need to integrate CSP.

In this presentation I’ll help you to figure out where to start, what to do and which issues you might will be facing with if you want to add CSP to your web application.

Attendees will learn about key differences between CSP level 1, 2 and 3, what is secure CSP and how to build one. We’ll also talk about creating production ready, backward compatible policy.

I’ll also present how Alexa top million websites adopts CSP and show interesting patterns I discovered among their policies, typical mistakes and strategies to fix them.

At the final part I’ll talk about tools and frameworks we have and also about tools and frameworks we need to build to efficiently deploy CSP.

Speakers
avatar for Ilya Nesterov

Ilya Nesterov

Engineering Manager, Shape Security
Ilya Nesterov is currently an engineering manager at Shape Security, where he is responsible for product quality. Prior to Shape, Ilya led QA teams at F5 and earned his master’s degree from Tomsk Polytechnic University. His area of interest is web application security, in particular identifying vulnerabilities using automation techniques. Ilya also works as independent security researcher and spoke at AppSec USA 2016 conference.



Wednesday January 25, 2017 2:00pm - 2:50pm
Terrace Lounge

Attendees (16)