We interviewed Christian Wenz, who is one of our speakers at ConFoo Vancouver 2016. His presentation is titled “Content Security Policy (CSP): Rest in Peace, XSS!” Mr. Wenz is a frequent conference speaker, co-author of over 100 books, a consultant, a trainer and is an expert on web security. He lives in Germany.
Why does everyone seem to struggle with web security these days?
You do not see the absence of security, you only see it after a breach, when it’s too late. And the way the web works, many security issues are easy to get, and easy to exploit. If you look at the current OWASP Top Ten of the most frequent security risks, most entries on the list are over a decade old! So the situation does not seem to be getting better, and yet more and more people start developing web applications and need proper security training.
How does Cross-Site Scripting (XSS) work and what harm can be done with it?
It basically means that someone else can run JavaScript code in the security context of your web site, giving the code read and write access to the elements on a page, access to most cookies (which in turn might be used for session-based authentication), and much more, making this one of the most dangerous attacks out there.
How does Content Security Policy solve the problem?
With CSP, browsers add an additional level of security by providing a policy governing the source of JavaScript code (and other content). For instance it is possible to limit the JavaScript code to be executed to JavaScript files on one’s own server, so attacks injecting inline script code or code hosted on another server are no longer possible. It is even possible to provide a checksum for the JavaScript code.
What is the complexity of implementing CSP in existing large applications?
It depends™. If the application follows some best practices – no inline code and inline styles, a limited number of domain names in use, not many external libraries and dependencies – then implementing CSP is a rather short task. If not, then the application needs to be refactored, and we will be discussing strategies during my session. Luckily, there is a special CSP mode that logs policy violations, but does not enforce the rules, so a CSP may be taken to a test-drive first.
What would be your #1 advice to companies to increase their security?
Make web security part of your development process. It’s like with every other kind of software defect: the later in the process you take care of it, the more expensive it is.
Don't forget to register for your nearest ConFoo conference and follow us on Twitter for more blog posts.