Explore framework security and developer-friendly approaches to application security in this AppSecEU 2016 conference talk. Delve into the fundamental problems of data escaping and structural validation, examining the root causes of vulnerabilities. Challenge common misconceptions about blame attribution and evaluate the limitations of Web Application Firewalls. Discover the concept of self-defending frameworks and their potential to revolutionize security without code changes. Learn about context-aware escaping, edge cases, and performance considerations. Gain insights into XSS protection, authentication, and cross-site scripting through practical examples and demonstrations.
Framework Security: Hugging Developers Through Self-Defending Systems - AppSecEU 2016
Overview
Syllabus
Introduction
Introducing Oliver Lavery
The fundamental problem
How to escape data
Strict structural validation
The root cause of vulnerability
We blame the developers
We blame the technologies
WAAFs fall short
What is the solution
Framework security
Fixing the foundation
Self defending frameworks
Isapi
No code changes
Application
XSS
Examples
Contextaware escaping
Challenges
Demo
Example
Edge Cases
HTML
Sequel
Objection
Coordinate State
Writing Good Software
Performance Impact
XSS Protection
Authentication
Crosssite scripting
Taught by
OWASP Foundation
