Nov 12

OWASP AppSecUSA 2012

I recently attended my first OWASP conference, AppSec USA, which took place at the end of October in Austin, Texas.

This year I’ve been trying to attend conferences besides the small set I’ve attended in the past. One thing that attracted me to the AppSec USA conference was OWASP’s focus on building secure software and websites, not just on breaking software or finding new vulnerabilities.

In Austin, I spoke to several attendees who were extremely interested in the security features we are working on for Firefox and had some especially good discussions about Content Security Policy (aka CSP). CSP was mentioned frequently over the course of the conference presentations and it was also listed as a ‘top 10 web defense’. I spoke to folks from several major sites who were either testing CSP or planning to start rolling it out over the next year. This is particularly personally relevant as I’ve been working on making Firefox CSP 1.0 compliant [1]. It was extremely encouraging and motivating to hear so much advocacy for CSP, it seems like it’s really starting to gain momentum on the web. I also heard two other neat uses for CSP : detecting mixed content on one of your site’s pages and also detecting infected browsers via catching their requests to malicious sites. CSP’s ability to specify a report-only policy so sites can try out a policy and evaluate what violations occur without the risk of breakage seems like a particularly favorite feature. Additionally, I told folks interested in CSP about the User CSP add-on (written by Kailas Patel as his Google Summer of Code project), which allows a user to apply a custom CSP to a site or auto-generate an initial CSP. There are many similar projects under development to help generate a policy for a site.

Mozilla’s CTO Brendan Eich gave an interesting and well received talk on how we ended up with the same origin model of the web today and future developments towards more secure JavaScript. Yvan Boily from the Security Assurance team also spoke on how Mozilla delivers security at scale, involving both community participation and developing open source automated security tools. Michael Coates, Mozilla’s Director of Security Assurance, was part of a panel on bug bounties along with speakers from Etsy, Facebook and Google. The bug bounties panel was popular with attendees and afterwards quite a few people said they would look into starting their own bug bounty programs based on the experiences shared by the panelists.

I also attended quite a few sessions about issues with SSL/the current CA system. It was great to hear folks pushing HSTS (By the way, Firefox now has an HSTS preload list, thanks to David Keeler. See his blog post for more details.) and CA Pinning, which Camilo Viecco is currently working on.

Overall, I really enjoyed being able to talk to other folks on the defense side of security. Additionally, I feel like I saw and heard a lot to support our Security Engineering roadmap – it seems to be really well lined up with the mechanisms folks who protect sites are looking for browsers to provide. I really hope to be able to attend the next AppSecUSA in NYC in 2013 to continue the dialogue and maybe get some ideas for some new security features !

(PS: speaking of CSP and security mechanisms, I’ll also take this chance to plug the work Isaac Dawson recently has done to look at which security headers are used by the Alexa Top 1,000,000 Sites, this is some fascinating research !)

[1] For details, see bug 783049 and bug 746978