Content Security Policy - The Past, The Present, The Future?

[Dirk Wetter]

Hi all,

The OWASP Hamburg Stammtisch has its next online event soon. Presenting language
will be English again.

Happy to welcome Ben and Marius talking about their interesting research with
respect to Content Security Policy!


TLDR:
======
Title: "Content Security Policy - The Past, The Present, The Future?"
Speaker: Ben Stock / Marius Steffens
Location: Online, please check the link the day before
Start: 16th of March 2021, 6:30 pm (CET)
Link: https://www.meetup.com/OWASP-Hamburg-Stammtisch/events/276707139/
Networking: Stick around afterwards if you like.


Abstract :
==========
Content Security Policy has been around for 10 years and still only a fraction of sites
on the Web leverage its full potential to mitigate XSS and other flaws. In this talk,
we will discuss the evolution of CSP over time and how sites could leverage it to
secure against three attacks classes. This is based on our NDSS 2020 paper
(https://swag.cispa.saarland/papers/roth2020csp.pdf), which sheds light on the usage of
CSP on 10,000 sites over a period of six years. In addition, we will discuss how seemingly
irrelevant choices when allowing sites can lead to catastrophic consequences for the
security of CSP. Finally, we will discuss insights from our most recent study (NDSS 2021,
https://swag.cispa.saarland/papers/steffens2021blockparty.pdf), which shows that CSP’s
success is in large parts blocked by third parties, and cannot be blamed on developers.
With this, we’ll give our personal outlook on where CSP can be going from here, and what
needs to happen for it to succeed.


Bios:
=====
Ben Stock is a Tenure-Track Faculty at the CISPA-Helmholtz Center for Information Security
in Saarbrücken, where he currently supervises four PhD students. In his PhD, Ben focussed
on the detection and mitigation of Client-Side Cross-Site Scripting. During his PhD, he
worked closely with SAP Research and interned with Microsoft Research. After his PhD, he
joined CISPA as a postdoc, focussing on both Web Security as well as Usable Security
research. He currently heads the Secure Web Applications Group at CISPA, is a regular
speaker at academic and non-academic venues like CCS, USENIX Security, NDSS, Blackhat,
and OWASP AppSec.

Marius Steffens is a third-year PhD student in the Secure Web Applications Group at the
CISPA-Helmholtz Center for Information Security, supervised by Ben Stock. Marius is
interested in finding emerging vulnerabilities in client-side Web applications at a
large scale, leveraging dynamic program analysis techniques. Besides automatically
exploiting sites, he is also interested in understanding the pitfalls associated with
deployments of Web security mechanisms, which are currently hampering widespread adoption.

How to participate
==================
OWASP Hamburg Meetup members who RSVP'd for the event will see the Google Meet invite
URL at the RHS and can join the video conference directly. I'll update the invite URL
~ a day before. Please make sure when joining you are muted by default.

If you don't want to use meetup please reply to this mail (only to me) and I'll send you the
link ~ a day or so before.


Our OWASP "Stammtisch"
=========================
Our meeting is about web applications and their (in)security and/or about IT security in general.
People come together who care as a hobby or in their job about information security: developers,
managers, pentesters and everybody else who's interested. The atmosphere is open and relaxed.
Who's coming to sell products or services: Please move on, this is not the right place. OWASP is
about education and sharing (mostly) technical information.

Feel free to forward this mail to your colleagues or friends. They are welcome, too.
Participation is free and open -- as the O in OWASP.


Cheers, Dirk


--
OWASP Volunteer
Send me encrypted mails (Key ID 0x4D9CA7F2E2FA20B3)

[Dirk Wetter]

Hi all,

Reminder: Tomorrow's the meeting.

Link will be posted tomorrow around noon at meetup and
forwarded to those who sent me a mail.

CU tomorrow!

Cheers, Dirk