1. @ LASCONATXApril 30, 2013CSP To theRescue

2. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityIts all about meIve been called a jackassIve been called an appsecholeI have opinionsOpinions are often wrongPlease disagree with meThats how we learn 3. CSPBrakemanThreatDeckPhantom GangRoshamboEmaildevelopersEmailsecurity 4. Code reviewExternal reportsPen testingStatic analysis toolsDynamic analysis toolsCSP 5. Get the right information to theright people 6. Find bugs as quickly as possible 7. Analyze from many angles 8. Help people help themselves 9. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityDo you use these?Content security policyX-Frame-OptionsHTTP Strict Transport SecurityX-Xss-ProtectionX-Content-Type-Options 10. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityIm already boredTime to get awesomer 11. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecuritySecurity headersLeverage the browser for security 12. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecuritySweeeeet. I dont have write secure code! 13. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityTime of convergence 14. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityShould you? 15. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityX-ContentType-OptionsFixes mime sniffing attacksOnly applies to IE, because only IE would do somethinglike thisX-Content-Type-Options = nosniffzzzzZZZZZZzzzzz 16. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityX-Xss-ProtectionUse the browsers built in XSS AuditorX-Xss-Protection: [0-1](; mode=block)?X-Xss-Protection: 1; mode=blockzzzzZZZ... huh? zzzzzzzz 17. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityX-Frame-OptionsProtects you from most classes ofClickjackingX-Frame-Options: DENYX-Frame-Options: SAMEORIGINX-Frame-Options: ALLOW FROM example.comzzz... oh hey thats cool. Dont frame my stuff. 18. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityX-Frame-Options 19. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityFiresheep/SSL StripGiven I dont have an HSTS headerAnd I have a sessionWhen I visit http://example.comThen I am pwned 20. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityOther ssl failsPosting passwords over HTTPLoading mixed contentUsing protocol relative URLS 21. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityStrict Transport Security 22. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityHow hard is it to use?Base CaseStrict-transport-security: max-age=10000000Do all of your subdomains support SSL?Strict-transport-security: max-age=10000000; includeSubdomains 23. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityContent secur-a-wat?Content security policy is reshaping the security modelIt is a complicated spec with great differences across browsersIt is not widely adoptedHowever!It completely eliminates reflected and stored XSSIt ensures that you never load mixed contentIt allows you to accept arbitrary html code from users 24. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityWat? Sounds cool.script-srcstyle-srcimg-srcdefault-srcframe-srcconnect-srcfont-srcmedia-srcobject-srcreport-uri 25. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityQuickTime and aH.264 decompressorare needed to see this picture. 26. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityGet rid of XSS, eh?A script-src directive that doesnt contain unsafe-inline almosteliminates most forms of cross site scripting.I WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPTI WILL NOT WRITE INLINE JAVASCRIPT 27. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurity 28. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityBut I have to...OK, then Ill inject:FALSE! img-src violation, no XHR allowed 29. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityInline css too? WTF? 30. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityHow to apply?Secure headers! (poor name, I know)Open sourced earlier this yearhttps://github.com/twitter/secureheaders 31. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityHow does it work?It sets a before_filter that applies each headerValues are based on options passed to filter, or in an initializerEasily overriddenSecure by default!!! 32. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityWhat about that security policy thingyThere are > 6 differences between these two header values 33. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityYay for standardshttps://t.co/f26WWx3r7y 34. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurity 35. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityLong hair dont careAbout browser inconsistencies 36. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityW3Get involved!!!Key results from F2F in San Jose 37. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityLine numbers and column numbersPreviously, a report that was caused by inline scripts/styles was crypticOriginal FF implementation contained a script-sampleEvals/inserting script into DOM would be buried in minified JS 38. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecuritysudo for javascriptBookmarklets/plugins/etcHow should they behave?Bookmarklets show clear intentionPlugins somewhat questionableNeed to live outside the control of the parent pageBut how? 39. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityReporting cross-originOriginal implementation did not allow CSP reports to be sent to a URIthat does not match the same origin policy, using the eTLDe.g. https://ads.twitter.com can send reports to https://twitter.com,but not http://twitter.com or https://support.twitter.com or https://twitter.com:3000As a result of the w3 face to face, the 1.0 spec shall say that reports canbe sent anywhere!However, cross-origin requests not allowed by CORS will be unauthenticated 40. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityscript-(nonce|hash)The clash of the titans 41. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityFuture 42. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityYou mean theres more on CSP?The browser sends reports! 43. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityWhat does the report look like?{"csp-report"=> {"document-uri"=>"http://localhost:3000/home","referrer"=>"","blocked-uri"=>"ws://localhost:35729/livereload","violated-directive"=>"xhr-src ws://localhost.twitter.com:*"}} 44. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityQuiz: what does this report indicate?{"csp-report"=> {"document-uri"=>"http://example.com/welcome","referrer"=>"","blocked-uri"=>"self","violated-directive"=>"inline script base restriction","source-file"=>"http://example.com/welcome","script-sample"=>"alert(1)","line-number"=>81,"column-number"=>1463,}} 45. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityMonitor and Tune ALL the things 46. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecuritySplunk 47. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityTrending and anomalies 48. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurity 49. @LASCONATX April 2013@ndm | @SeeEssPee | @sadb | @twittersecurityHeader status page 50. CSPBrakemanThreatDeckPhantom GangRoshamboEmaildevelopersEmailsecurity