Architecture and Design Considerations - Build Security In - US-CERT
Architecture and Design Considerations - Build Security In - US-CERT
Architecture and Design Considerations - Build Security In - US-CERT
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>In</strong> order to use CSP, the browser must first opting-in by sending a custom HTTPS header, then the server sends the browser a<br />
whitelist of content the server allows, <strong>and</strong> finally the browser disables all JavaScript <strong>and</strong> allows only content that are on the<br />
whitelist. To protect other users, the browser reports back to the server any content in violation of the CSP. The server than can<br />
block this content or remove it from the site. There is another option for developers if they do not wish to block any content. The<br />
site developer can allow all content on the user’s browsers but require the browsers to report back with a list of content received<br />
which were not on the whitelist.<br />
Resources<br />
» “Details of a Real Data Breach.” Oliver Wai <strong>and</strong> Bob Matlow, Barracuda Networks, 9 April 2011.<br />
.<br />
» “OWASP Code Review Guide: 2008 V1.1.” OWASP, 2008.<br />
.<br />
» “OWASP Secure Coding Practices: Quick Reference Guide.” OWASP, November 2010.<br />
.<br />
» “Session Management.” Rook, David, <strong>Security</strong> Ninja: <strong>Security</strong> Research, News & Guidance.<br />
Realex Payments, 1 December 2010. .<br />
» “Session Management Cheat Sheet.” Siles, Raul, OWASP, October 2011.<br />
<br />
» “Transport Layer Protection Cheat Sheet.” Michael Coates, Dave Wichers, Michael Boberski, <strong>and</strong><br />
Tyler Reguly, OWASP<br />
,.<br />
» “Best Practices for a Secure “Forgot Password” Feature.” Ferguson, Dave, Fishnet <strong>Security</strong>, 2010.<br />
.<br />
» “Content <strong>Security</strong> Policy.” Br<strong>and</strong>on Sterne, 2011. .<br />
21 Software Assurance Pocket Guide Series:<br />
Development, Volume V – Version 2.0, May 18, 2012