Quickly and efficiently build the materials you need to support your inbound marketing strategy. Drag and drop building blocks including testimonials, forms, calls-to-action, and more.
12 Angry Developers - A Qualitative Study on Developers’ Struggles with CSP
Format
Scientific Talk
Session Time
5:45 - 6:15 (CET)
Speaker
Lea Gröber
Abstract
The Web has improved our ways of communicating, collaborating, teaching, and entertaining us and our fellow human beings. However, this cornerstone of our modern society is also one of the main targets of attacks, most prominently Cross-Site Scripting (XSS).
A correctly crafted Content Security Policy (CSP) is capable of effectively mitigating the effect of those Cross-Site Scripting attacks.
However, research has shown that the vast majority of all policies in the wild are trivially bypassable. To uncover the root causes behind the omnipresent misconfiguration of CSP, we conducted a qualitative study involving 12 real-world Web developers.
By combining a semi-structured interview, a drawing task, and a programming task, we were able to identify the participant’s misconceptions regarding the attacker model covered by CSP as well as roadblocks for secure deployment or strategies used to create a CSP.
Lea Gröber is a Doctoral Student at CISPA Helmholtz Center for Information Security. In her research, she focuses on usable security and privacy issues. She publishes papers on how humans handle safety and security regulations in practice.
JOIN US FOR FUZZCON EUROPE 2021!
FuzzCon Europe is bringing developers and security experts together to build more robust and secure software.
/GitHub.webp)
