Skip Main Navigation
Page Content

Save This Event

Event Saved

Looks like this event has already ended.

Check out upcoming events by this organizer, or organize your very own event.

View upcoming events Create an event

SPA-279: Pushing CSP to Prod - case study of a real Content-Security Policy

BCS Software Practice Advancement

Wednesday, April 2, 2014 from 6:30 PM to 8:30 PM (BST)

SPA-279: Pushing CSP to Prod - case study of a real...

Ticket Information

Type Remaining End Quantity
Complimentary   more info 12 Tickets Ended Free  

Share SPA-279: Pushing CSP to Prod - case study of a real Content-Security Policy

Event Details

Refreshments and sandwiches from 18:00.

Synopsis

Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5.

Our story will arm you with the knowledge you'll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun.

We'll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we'll discuss the basic techniques we used for converting all of our classic "in-line" JavaScript to comply with the strict CSP that we developed. We'll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks.

Lastly, we'll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we'll share the results. Our hope is that by telling our story to the world, we'll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we'll save you the trouble and dissuade you from even trying).

Biography

Justin Clarke is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has many years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.

Justin is the the technical editor and lead author of "SQL Injection Attacks and Defense" (Syngress 2009, 2012), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O'Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O'Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.

Have questions about SPA-279: Pushing CSP to Prod - case study of a real Content-Security Policy? Contact BCS Software Practice Advancement

When & Where


BCS London
5 Southampton Street
WC2E 7HA London
United Kingdom

Wednesday, April 2, 2014 from 6:30 PM to 8:30 PM (BST)


  Add to my calendar

Interested in hosting your own event?

Join millions of people on Eventbrite.

Please log in or sign up

In order to purchase these tickets in installments, you'll need an Eventbrite account. Log in or sign up for a free account to continue.