Introduction

Overview

This talk is not about Browser security...

(though I'll talk about some browser features)

... it is about developers and how we can help them

(and a little bit about what I'm doing at Mozilla too)

We Have a Problem

The web is growing (fast)

Active domains: 313 to 677 million in year to April 2012 (Netcraft)

New sites, new developers

Many of these aren't well trained in security

There is a legacy of broken stuff

Many active sites are infrequently maintained

Developers, Developers, etc.

BSIMM - 2% of devs should be security pros

Life is easier for all if the rest improve

Relying on Frameworks

Adoption takes time

e.g. PHP

Relying on Frameworks (2)

Relying on Frameworks (3)

Source: langpop.com

Relying on Libraries

Relying on Tools / Services

What about the Browser?

Less diverse, easier to learn

There are many, many server technologies - fewer browsers

Implementation knowlege is transferrable

I can say 'set this header' to Django / Java / .NET devs - they'll all know what I mean

can only help with a subset of issues

any help is welcome, right?

Vulnerability: XSS

In Browser: XSS Filter

In Browser: CSP

In Browser: CSP (2)

is enabled by setting a header

X-Content-Security-Policy: default-src 'self'; img-src *; script-src 'self' *.example.com

has a report-only mode

X-Content-Security-Policy-Report-Only: default-src 'self'; img-src *; script-src 'self' *.example.com; report-uri /csp/report
			

Clickjacking, etc.

In Browser: X-Frame-Options

Attacks: MITM

In Browser: STS

Vulnerability: CSRF

Soon: SameDomain Cookies

So who uses this stuff?

Header survey

 20112012
X-Frame-Options:0.54%2.48%
X-XSS-Protection:1.52%2.2%
Strict-Transport-Security:0.01%0.21%
X-Content-Security-Policy: 0.01%

Why?

Why?

Developer Tools

Firefox Devtools

Summary

Developer awareness is a good thing

Thanks!

Questions?

Contact:

/

#