We interviewed Christian Wenz, who is one of our speakers at ConFoo Vancouver 2016. His presentation is titled “Content Security Policy (CSP): Rest in Peace, XSS!” Mr. Wenz is a frequent conference speaker, co-author of over 100 books, a consultant, a trainer and is an expert on web security. He lives in Germany.
Why does everyone seem to struggle with web security these days?
You do not see the absence of security, you only see it after a breach, when it’s too late. And the way the web works, many security issues are easy to get, and easy to exploit. If you look at the current OWASP Top Ten of the most frequent security risks, most entries on the list are over a decade old! So the situation does not seem to be getting better, and yet more and more people start developing web applications and need proper security training.
How does Cross-Site Scripting (XSS) work and what harm can be done with it?
How does Content Security Policy solve the problem?
What is the complexity of implementing CSP in existing large applications?
It depends™. If the application follows some best practices – no inline code and inline styles, a limited number of domain names in use, not many external libraries and dependencies – then implementing CSP is a rather short task. If not, then the application needs to be refactored, and we will be discussing strategies during my session. Luckily, there is a special CSP mode that logs policy violations, but does not enforce the rules, so a CSP may be taken to a test-drive first.
What would be your #1 advice to companies to increase their security?
Make web security part of your development process. It’s like with every other kind of software defect: the later in the process you take care of it, the more expensive it is.