10
Oct 08

Introduction

I want to help move the state of software security forward, especially web security.  Web developers currently are groaning under a load of patchwork security mitigations caused by the desire of browser & plugin developers to maintain compatibility with existing content while not really effectively supporting the rich applications of today and tomorrow.

For example, all web applications are vulnerable to cross-site scripting and similar code injection attacks by default, unless painstakingly mitigated by the application or framework developers.  Cross-domain data loading currently relies on server-side proxies, script importing, or Flash.  Cross-site/inter-frame communication is likewise hokey and risk-prone.

Fortunately, things are starting to change for the better.  Access Control (http://www.w3.org/TR/access-control/) provides developers with native HTML methods for safely performing cross-site data loading while postMessage (http://developer.mozilla.org/en/DOM/window.postMessage) provides a mechanisms for frames from different sites to communicate securely.  Neither of these mechanisms is a fool-proof design, in the sense that misconfiguration could still result in a security vulnerability, but both are a tremendous improvement & and far safer than importing random scripts over HTTP.

In addition to designs largely finalized and in the process of being implemented in browsers, there are also a number of research efforts aimed at providing better mechanisms for addressing Cross-site Request Forgery (see the Origin header proposal located here: http://crypto.stanford.edu/websec/specs/origin-header), Cross-site Scripting mitigations (http://people.mozilla.org/~bsterne/content-security-policy), and content restrictions aka sandboxing (http://www.w3.org/html/wg/html5/#sandbox).

The above list is just a few examples of the initiatives brewing out there, and I will be digging into them in more detail in future posts.