A new era of security: How Web platform features can save your application

Speakers: Artur Janc (Google)

Artur is a Staff Engineer and team lead/manager on Google’s Information Security Engineering team. He focuses on protecting one of the world’s largest and most diverse web application ecosystems from web threats and contributes to the design of several web security specifications including Content Security Policy, Fetch Metadata Request Headers, and others.

A new era of security: How Web platform features can save your application

Web applications have historically been plagued by vulnerabilities which allow attackers to compromise the session of a logged-in user: XSS, CSRF, clickjacking and related issues are common problems that most developers learn about — often the hard way! Luckily, new security mechanisms available in web browsers in 2019 offer exciting features which allow developers to protect their applications. In this talk, we’ll introduce these features and explain how to most effectively use them.

We’ll start by reviewing major threats based on an analysis of thousands of vulnerability reports Google receives each year under our Vulnerability Reward Program. We will find common themes between bugs which appear unrelated and focus our attention on the most frequent high-risk problems.

We’ll then turn our attention to security mechanisms implemented in modern browsers, which address entire classes of vulnerabilities. This includes CSP3 and Trusted Types to prevent XSS, Fetch Metadata Request Headers to defend against CSRF, and CORP/COOP to mitigate the threat of Spectre.

By the end, you will have a good understanding of common threats and a TODO for enabling protections in your application.

Event Page: https://voxxeddays.com/singapore/