Know Your Weaknesses: Vulnerability Reports Aggregation and Analysis with Content Security Policy

One of the leading application security vulnerabilities, cross-site scripting (XSS), has been consistently found in many corporate applications, regardless of traditional defense techniques, such as input validation and output encoding. Knowing the number of such vulnerabilities in the organization’s applications is only half the issue. To understand the real risk, it is important to know how many of these vulnerable applications actually get attacked on the day to day basis, and which specific instances of vulnerabilities are being exploited. Such information will answer the questions like: is a certain framework being exploited most of the time, because it has not been patched? Or is it an issue in the custom code that has not gone through the security code review process? Content Security Policy (CSP) is a new HTML5 technology that allows organizations not only protect their applications from cross-site scripting, ensure that the content of the site, such as audio, video, images, fonts, is only loaded from approved locations, but also to get reports on every violation of the policy, such as cross-site-scripting attempts.

This talk will discuss how to best implement Content Security Policy on the organization’s web sites and how to obtain data on the policy violations and attacks. We will first cover the basics of Content Security Policy, how the policy is configured, the possible security issues CSP may have, how it can be applied to an existing application or an application written from scratch. Then we will discuss the reporting mechanism, types of data returned in the violation reports, methods of aggregation, and browser support. At the end, existing report aggregation and analysis tools will be described, together with examples of existing CSP policies implemented by major social media companies.