XSS Defense, Past, Present and Future – Jim Manico
https://www.ispeech.org
Jim Manico lecturing at SecAppDev Leuven 2013. Content jointly authored with Eoin Keary.
Learning objectives
Ability to manage the risk of Cross Site Scripting (XSS) via:
+ Manual Code Review
+ Manual Penetration Testing
+ Computer Programming/Secure Coding techniques
The attendee will also learn how to effectively use a variety of different input validation and contextual encoding programming techniques, at multiple layers within in application, to help reduce or eliminate the risk of XSS.
Overview
This talk will discuss the historical methods used for cross-site scripting (XSS) defense. Learning from these lessons, we will also discuss present day defensive methodologies that are effective, even though they can place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks and standards. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project.
Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.
Eoin Keary is the CTO and founder of BCC Risk Advisory Ltd and an international board member, and vice chair of OWASP. He has also led global security engagements for some of the world's largest financial services and consumer products companies. He is a well known technical leader in industry in the area of software security and penetration testing. He leads the OWASP code review project and is focused on software security.
2013-06-02 14:50:00
source
Gloss