speaker: Johannes Ullrich

HTML 5 risky business or security toolchest at app sec usa

HTML 5 is

• Collection of JavaScript APIs
• Features to enable modern desktop like applications or support mobile devices
• Your browser supports HTML 5 even if you don’t use it [well, pieces of it]

Authentication

• Inclusive authentication – proof of identiy of user
• Exclusive authentication – disprove the identify of the user – for example, IP address isn’t for authentication bu can be second level such as making sure in network after log in. Similarly can use GPS
• Half factor – password or token – attack whichever is weaker

[I missed the part about local storage because I was focused on trying to connect to the internet – remember humans can’t really multi-task]

Login with touch

• Circle fpart of image. Don’t circle faces. Everyone does that.
• Android has connect the dots where you pick the pattern. Most people pick a common pattern ike the leter C

Biometrics

• Can do videoconferncing with just HTML5
• Could use faes, hand signals/gestures or fingerprint
• Not there yet. Hard to use when insufficient light
• Can only reognize about 100 different patterns right now for faces
• Apple not giving access t fingerprint reader yet
• Ok as second factor, but not ready for primary use. More of a gimmick than an authentication feature right now

Accelerometer

• Can detect camera moving
• Too much noise for authentication. Too hard to make same pattern repeatedly
• Better for detecting whether walking or if on phone

Notifications

• Only Safari has push notifications with browser closed
• Local notifications widely supported. Good for finding out if have mail
• Could use like SMS messages for security. “Someone else logged in as you”. Proactively notify users of security events.
• Often have to accept acount sharing. Let user decide what to do

URLs:
caniuse.com – what browser support which features
authonthemove.com – has demo

My take
The client side hash is really interesting. It would be nice if browsers would help with/encourage that.

speaker: Kenneth Lee

Why care:

• User security issue
• Browser impacting change

HSTS (HTTP Strict Transport Security)

• Use of SSL/TLS for site
• When send his header, browsers wil guarantee to visit the url
• User needs to visit the website a least once in order to receive the header.
• Protect against man in the middle attack
• But don’t want to make whole site HTTPS – capacity planning assumed less https. Wen ready to make whole site HTTS, this setting becomes deprecated
• Need to prevent load balancer from always sending batck to http so doesn’t loop
• He talked about the design Etsy used to implement this
• Since multiple users can have accounts that use th same machine, set timeout to 0 so dont get other person’s preferences.
• Browser handles via 302s transparently.
• Need to make sure your CDN supports it. Similarly for 3rd party content providers. Can’t use off domain HTTP because browser dispays mixed content warnings. Firefox and Chrome block it by default.
• IE and Safari mobile don’t support yet. Can’t use this header to solve routing problems.

X-Frame Options (XFO)

• prevent clickjacking/framing website
• used to have to use JavaScript to avoid being framed.
• Can use JavaScript to log who framing you (if don’t know) so have list of sites that can frame you. Then you can create whitelist
• Newer option allow from whitelist. Older browsers don’t support though
• Warn users if taking away framing. Maybe someone is using it to frame a product. Give alternate way to show content they want to show.

CSP (content security policy)

• If transfering header on each request, it can get large quickly
• Doesn’t allow inline JavaScript on a website by defaut.
• Can’t whitelist inline JavaScript in CSP 1.0. Problem because most apps do have – unless they are quite new
• Can’t refactor everything right away
• CSP 1.1 adds browser JavaScript API support.
• CSP 1.1 adds puting in meta tag rather than a header. Will use as CSP from meta tag unless there already is a header.
• CSP 1.1 also adds script-nonce (random value) and script-hash (hash of inline JavaScript in question) to allow inline JavaScript. CDN reuires hash because nonce won’t be random.
• Can use reporting to log blocked element info
• cspisawesome.com – good website to craft your own policy

X-XSS-Protection

• Used to be IE specific
• Now in Chrome too. Added a report URL mechanism
• Looks for parameter arguments in response
• This originally was used to break Clickjacking defensive JavaScript

X-Content-Type-Options

• Defaults to nosniff
• Older verisions of IE guesed content type even if specified
• Took advantage of different content type than page author intended to make XSS attack

My take
The code example was really small. He said you could dowload the presentation to follow along but I didn’t have internet at all in this room. Plus a lot of people were taking note on paper without a device. There was was plenty of space on the slide. He could have split the line across and lines and use a decent font size.

The actual content had a lot that I didn’t know which was good. I knew about X-Frame options. The rest was new to me. I had heard about CSP 1.0 when it came out but “you can’t use it if you have any in-line JavaScript” made it a nonstarter.

[this wasn’t posted live due to lack of internet]

speaker: John Dickson

Bruce Schneider wrote in March “I personallly believe that training uers in security is generally a waste of time and that the money canbe pnt better elsewhere”

Developer Training vs User Behavior training

• both are trying to change behaviors
• Developers have more power to say no/drive training by releaes
• For developers, training is infrequent, but more disruptive. User awareness training is 15-45 minutes. Developer class is 1-2 days.
• PCI DSS requires training

Numbers

• Metrics rare even for HR training.
• Turnover 20-30% in software development
• Training budgets one of first things to cut in bad economy

A research study

• included 600 developers. 100 had over 3 days of security training, but results didn’t turn out to reflect that. gave 15 multiple choice question quiz
• “Didn’t want to ask how old they are because shouldn’t matter” [why not?]
• Over half of developers had over 7 years of experience [we are in one of few inustries where this is considered odd or even worth mentioning]
• Had hypothesis that finanical services sector would have an advantage, but didn’t score better. Sample size in that sector, too low.
• Tested both awareness an defnesive coding
• Largest enterprises had lowest secure coding knowledge. They weren’t the largest banks though. Suspects that would have raised numbers.
• Architects did best, QA did worst. Developers were in the middle.
• Most people understand what a XSS error is, but less than 20% know what to do about it. How do you operationalize the application security concepts.
• Had to throw out 100 results (out of 600) because didn’t complete the uestions. This is common in studies. However, they didn’t fill in the harder questions. Results even worse if you count them as wrong.
• Higher ed teaching at most one elective on security and likely just covers encryption. [Is it their job to do so? They also rarely cover testing or maiintenance or many other skills that are needed in the real world]
• Study just did before and right after. Need to do again later to reinforce

How developers learn

• Companies buy a class or e-learning modules
• After graduate, people learn informally. Blogs, rss, social media,developer websites, email list, safari online [books aren’t dead]
• Need refreshers preferably in bite size chunks. Include training in performance planning so developer feels accountable to understand
• Try to do real world situations as refreshers. Talk about a breech
• Incentives matter. Saw them making it more likely for people to fill out the survey. Even for a captive audience.

Survey will become a whitepaper.

“Need to sales/market the dev teams”

My take
Good session. The research study was interesting. I wish here was more time to go into that. There’s good talking points in it. I certainly agree on the need to customize training.