Ksenia Dmitrieva
Web Security Consultant
Ksenia Dmitrieva-Peguero is a Principal Consultant at Cigital with over six years of experience in securing web applications and five years of development experience. She performs penetration testing and code review for clients in financial services, entertainment, telecommunications, energy, and enterprise security industries. Her current concentration is on researching HTML5 technologies and new JavaScript frameworks, their security implications, vulnerability discovery and remediation. Ms. Dmitrieva-Peguero has delivered presentations and training sessions at conferences around the world, including BSides Security in London, Nullcon in India, AppSec California in the USA, RSA Asia Pacific & Japan in Singapore, AppSec Europe in Italy, and several NFJS shows.
Presentations
When talking about finding security defects we first think of security testing and static analysis of the code. Although, penetration testing and secure code review can uncover many types of security issues in an application, there are gaps that simply cannot be found with these traditional analysis techniques. The interactions between the different systems are beyond the code review level and the complex interconnections are often not reachable from the penetration tester’s point of view. Discovering weaknesses in the design of a system is the specific goal of threat modeling. Organizations benefit from this software design analysis because they can perform it without code to discover potential vulnerabilities early in the development cycle.
This talk will describe one of the popular threat modeling methodologies and follow its process of identifying the assets, security controls, and threat agents for a given system, and then creating a prioritized list of attacks. Security analysts together with system architects can then propose appropriate mitigations to be implemented by the team.
One of the leading application security vulnerabilities, cross-site scripting (XSS), has been consistently found in many corporate applications, regardless of traditional defense techniques, such as input validation and output encoding. Knowing the number of such vulnerabilities in the organization’s applications is only half the issue. To understand the real risk, it is important to know how many of these vulnerable applications actually get attacked on the day to day basis, and which specific instances of vulnerabilities are being exploited. Such information will answer the questions like: is a certain framework being exploited most of the time, because it has not been patched? Or is it an issue in the custom code that has not gone through the security code review process? Content Security Policy (CSP) is a new HTML5 technology that allows organizations not only protect their applications from cross-site scripting, ensure that the content of the site, such as audio, video, images, fonts, is only loaded from approved locations, but also to get reports on every violation of the policy, such as cross-site-scripting attempts.
This talk will discuss how to best implement Content Security Policy on the organization’s web sites and how to obtain data on the policy violations and attacks. We will first cover the basics of Content Security Policy, how the policy is configured, the possible security issues CSP may have, how it can be applied to an existing application or an application written from scratch. Then we will discuss the reporting mechanism, types of data returned in the violation reports, methods of aggregation, and browser support. At the end, existing report aggregation and analysis tools will be described, together with examples of existing CSP policies implemented by major social media companies.