After last post on browser based security, a few people asked how CSP works.
Basically, it is a contract between a web server and the client (i.e. the browser). The browser (being a client) is basically executing everything send to it by the web server. This is very risky when the web server is comprised (that is what happen when an attacker successfully launched a XSS attack to a website and added HTML codes)
As CSP is implemented at the web server level, it is the web site administrator duty to enable this feature. Usually the programmer has no right to change production configuration of web server. The segregation of duty on one hand increase control on unauthorized changes, on the other hand make web server security an orphan.
Since I moved from an internal IT Risk manager to a security consulting firm, I have been involving in different discussions on web application security. These experiences made me think that browsers are not a security software and its design has little security consideration. Missing security features in browser is one of the root cause for today’s cybercrime.
There were some new developments in the browser domain that trying to address the root cause. Developers for PayPal, Mozilla and Microsoft develop three new browser-based security controls:
- Content Security Policy (CSP)
- HTTP Strict Transport Security
- Frame Options
These are IMPORTANT security features and once enabled will stop most XSS attacks. However, these security features need both server and client side implementations in order to utilize the protections. Not all browsers support these new features! Only Firefox 4 and IE10 support.
The Australia Department of Defense published a comprehensive and user-friendly document on these features. It is a must read for all web developers.
Technical guidance for improving web application security through implementing web browser based mitigation
Although there are still some room to improve, they are doing a very good job when comparing with a HK online banking website (shown on right hand side).
web page security
If you ask the above question to the various cloud services providers, I am sure their answers are “Definite yes”.
If you ask the same question to end users, their answers may end up like “I really don’t care.”. And for the question again to business owners, their answers will probably are “May-be’s” because seriously no one really reveals all the cloud benefits, implementation pros and cons to them.
To IT professionals, however, we will probably provide a vague answer – “It depends.”. The long form of the answer is – “It depends on the maturity of the cloud market, technology and whether the solution available today can match your budget, quality requirements, and expected service level. More importantly, whether cloud technology and solutions can help your company to improve competitive advantage.”
That’s exactly what Cloud Security Alliance (CSA) and Information Systems Audit and Control Association (ISACA) did in a recent survey to answer part of the question – what is the maturity of the cloud technology and market, now ? A collaborative project by CSA and ISACA , the Cloud Market Maturity study provides business and IT leaders with insight into the maturity of cloud computing.
The study also reveals that cloud users in 50 countries were least confident about the following issues (ranked from least confident to most confident):
- Government regulations keeping pace with the market (1.80)
- Exit strategies (1.88)
- International data privacy (1.90)
- Legal issues (2.15)
- Contract lock in (2.18)
- Data ownership and custodian responsibilities (2.18)
- Longevity of suppliers (2.20)
- Integration of cloud with internal systems (2.23)
- Credibility of suppliers (2.30)
- Testing and assurance (2.30)
None of these findings are really a surprise, I suppose, however it is important to conduct such project because it helps us to understand how the cloud market will change over time, and how it advances from infancy to full maturity.
Do check out the press release and the full report to understand more about the findings, or you can check out the following infographics – the whole report in one picture.