Browser based website security control

Since I moved from an internal IT Risk manager to a security consulting firm, I have been involving in different discussions on web application security. These experiences made me think that browsers are not a security software and its design has little security consideration. Missing security features in browser is one of the root cause for today’s cybercrime.

There were some new developments in the browser domain that trying to address the root cause. Developers for PayPal, Mozilla and Microsoft develop three new browser-based security controls:

  1. Content Security Policy (CSP)
  2. HTTP Strict Transport Security
  3. Frame Options

These are IMPORTANT security features and once enabled will stop most XSS attacks. However, these security features need both server and client side implementations in order to utilize the protections. Not all browsers support these new features! Only Firefox 4 and IE10 support.

The Australia Department of Defense published a comprehensive and user-friendly document on these features. It is a must read for all web developers.

Technical guidance for improving web application security through implementing web browser based mitigation

To test if your browser supports Content Security Policy, we could to go Internet Storm Centre. If you only see one Javascript popup, your browser supports CSP. Recently, a security firm Recx Ltd created a Chrome extension that analyse web pages security features. It check the HTTP-headers and cookie settings against best practices, then shows the result in a simple and directly way. I installed it on Chrome and used it to test on some websites. The first is HKCERT, where a few of my friends are working there. I am sure they do not mind to demonstrate web security implementations.

Although there are still some room to improve, they are doing a very good job when comparing with a HK online banking website (shown on right hand side).

web page security

This entry was posted in Technology, Uncategorized and tagged , , , , , on by .

About antonyma

Engineering trained, Antony has the qualifications of CISA, CCSP, Oracle DBA and BS7799 ISMS assessor. He also received a LLM in Intellectual Property & Information Technology Law from The University of Hong Kong. Founder of Cybersecurity Risk Assessment firm Antony was th Chairman of Professional Information Security Association (PISA) from 2009 to 2010. He also joined ISC2 workshop on developing a new cloud security certification. Current positions include: 1. Chairman of Cloud Security Alliance (Hong Kong & Macau Chapter) 2. Convenor of HK OGCIO Working Group on Cloud Security and Privacy 3. Hong Kong delegate to ISO SC 27 committee, which drafts security standards like ISO27001. email : Specialties Retail Banking System & Process, IT Security, Copyright Law, Audit & Control, Technology Risk Management, Cloud Security

1 thought on “Browser based website security control

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s