How do JavaScript frameworks impact the security of applications?

Aug 15, 2019 · Reston, United States of America

Abstract:
The best way to enable developers to create secure applications is to “shift left” in security. That means providing developers with the tools and techniques that help build more secure applications from the get-go. Developers may get security controls into their applications in different ways. They may write them from scratch following security training or guidance, they may use open source libraries, or they may use frameworks that have the security features built in already. In this talk we explore JavaScript applications that use different types of security controls implemented at levels ranging from developer code, to libraries and plugins, to different frameworks, and analyze which applications actually turn out to be more secure. This work is based on analysis of over 500 open source JavaScript applications on GitHub that use client-side frameworks and template engines to prevent XSS, as well as server-side frameworks (Express, Koa, Hapi, Sails, Meteor) and CSRF prevention mechanisms.

In conclusion, we provide data-driven recommendations for framework maintainers and application developers on how to develop and choose a framework that will actually make applications more secure.

Bio:
Ksenia Peguero is a Sr. Research Engineer within Synopsys Software Integrity Group. She has nine years of experience in application security and five years in software development. Ksenia focuses her research in static analysis and JavaScript security, frameworks, and technologies. Before diving into research, she had a consultant career in a variety of software security practices including penetration testing, threat modeling, code review, and static analysis tool design, customization, and deployment. Over the years, she performed numerous engagements for clients in financial services, entertainment, telecommunications, energy, and enterprise security industries. Throughout her journey, Ksenia has established and evolved secure coding guidance for many different firms, and developed and delivered numerous software security training sessions. Ksenia speaks regularly at events around the world, such as BSides Security, Nullcon, RSA, AppSec EU and USA, TheWebConf, and LocoMocoSec to name a few. She has also served on review boards of OWASP AppSec USA, EU, and Global conferences.

Event organizers
  • OWASP Northern Virginia Chapter

    The OWASP Northern VA Local Chapter meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge. The chapter is committed to providing an engaging experience for a variety of audience types ranging from local students and those beginning in app-sec, to those experienced and accomplished professionals who are

    Recent Events
    More

Are you organizing How do JavaScript frameworks impact the security of applications??

Claim the event and start manage its content.

I am the organizer
Social
Rating

based on 0 reviews

Featured Events