AppSec USA 2016 has ended
Thursday, October 13 • 9:15am - 9:25am
Lightning Talk - Demystifying CSP

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

There have been many attempts to make the Web a more secure place, or at least make it harder to attack web applications. One of them is CSP, Content Security Policy. In my talk, I will cover history of CSP, how it evolves from its original version, and what features will be available in the near future.
One of the challenges in deploying CSP is to understand what versions and directives are supported by different web browsers. In this presentation, I will share current CSP compatibility matrix for major web browsers to provide better understanding of CSP support. I will also demonstrate a framework that I developed to make it easy for anyone to run the same CSP feature set of tests to inspect the results as well as to add new feature check.
In the last part of the presentation, I will show the usage of CSP by Alexa top web sites and how good their CSP policies are. I will also explain common CSP mistakes and strategies to fix them. Last but not least, I will demonstrate various tools, frameworks and libraries which would be useful to improve CSP policies.

avatar for Ilya Nesterov

Ilya Nesterov

Engineering manager, Shape Security
Ilya Nesterov is currently an engineering manager at Shape Security. Prior to Shape, Ilya worked at F5 Networks, and earned his master's degree from Tomsk Polytechnic University. His interests include, but are not limited to, modern Web Application security threats and countermeasures... Read More →

Thursday October 13, 2016 9:15am - 9:25am EDT
Room C