Refreshments and sandwiches from 18:00.
BCS SPA SG AGM from 18:15 to 18:30
- Welcome and Introductions
- Apologies for absence
- Minutes of the previous AGM
- Matters arising from the minutes
- Chairman's report
- Treasurer's report
- Election of committee
PLEASE NOTE - all positions on the committee are open for election. If you wish to stand, please announce your intention to the Secretary (Mohinder Khosla - see http://bcs-spa.org/ for contact details) before the meeting.
Security flaws on websites are very widespread and, depending on the nature of the website, can lead to severe consequences. One of the reasons why securing web apps can be challenging is that many security aspects, such as client side security, transport security and server side security, have to be considered during design, implementation and operation.
Daniel will start with brief overview of the many security deficiencies of the web and especially of web browsers. He will explain why secure transport is so important and point out the different guarantees that HTTPS provides, such as confidentiality, authenticity and integrity - and why there is no valid reason for not using it over HTTP. He will show you how to get a free certificate for your website and how to test the HTTPS configuration.
The main focus of this talk are the recently introduced headers, such as HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP) and Content Security Policy (CSP). Daniel will explain how HSTS and HPKP help to harden HTTPS against various attacks. He will also present the best practices for avoiding the common pitfalls.
Daniel will show how CSP has the capability to prevent Cross-Site Scripting (XSS) and Clickjacking attacks. He will also suggest good practices for formulating CSP policies for your site while minimising negative side effects, presenting some tools that will make your CSP journey as easy as pie.
All the aforementioned headers offer security “for free” in defence of your web apps, so you can start using them right away.
About the Presenter
Daniel Gartmann has been a senior software engineer at Zuhlke Engineering Ltd with special responsibility for web application security, network security and server security since 2015, and before that at Zuhlke AG in Zurich. He publishes occasional blog posts on the Zuhlke web site.