Clientside security with the Security Header Injection Module SHIM
Aaron Cure, Eric Johnson at AppSec USA 2014
Client-side security headers are useful countermeasures for Man-In-The-Middle, Clickjacking, XSS, MIME-Type sniffing, and Data Caching vulnerabilities. In this talk, we will review several security headers (e.g. Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, Content-Security-Policy, and X-Content-Type-Options) and the various options available for each header. We will then demonstrate a new open source Security Header Injection Module (SHIM) for ASP.NET (developed by the presenters) that can be configured to mitigate the vulnerabilities by setting the security headers for any web application. The SHIM tool will be officially released at AppSec USA.
Speakers
Aaron Cure
Senior Security Consultant, Cypress Data Defense, LLC
Aaron is a senior security consultant at Cypress Data Defense, and an instructor and contributing author for the CDD Introduction to Internet Security in .NET course. After ten years in the U.S. Army as a Russian Linguist and a Satellite Repair Technician, he worked as a database administrator and programmer on the Iridium project, with subsequent positions as a telecommunications consultant, senior programmer, and security consultant.
Eric Johnson
Senior Security Consultant, Cypress Data Defense, LLC
Eric is a senior security consultant at Cypress Data Defense, and an instructor and contributing author for the SANS DEV544 Secure Coding in .NET course. He previously spent six years performing web application security assessments for a large financial institution, and another four years focusing on ASP .NET web development.
Speakers
Aaron Cure
Senior Security Consultant, Cypress Data Defense, LLC
Aaron is a senior security consultant at Cypress Data Defense, and an instructor and contributing author for the CDD Introduction to Internet Security in .NET course. After ten years in the U.S. Army as a Russian Linguist and a Satellite Repair Technician, he worked as a database administrator and programmer on the Iridium project, with subsequent positions as a telecommunications consultant, senior programmer, and security consultant.
Eric Johnson
Senior Security Consultant, Cypress Data Defense, LLC
Eric is a senior security consultant at Cypress Data Defense, and an instructor and contributing author for the SANS DEV544 Secure Coding in .NET course. He previously spent six years performing web application security assessments for a large financial institution, and another four years focusing on ASP .NET web development.