lecture: Security in the age of frameworks

abstraction leads to pain, pain leads to suffering, suffering leads to token leakage

Event large

A “monsters found” talk about the implications of security measures baked into web frameworks and the ways in which developers and sysadmins defeat those measures. Will use Python web frameworks like Django and Flask for examples, but the concepts are universal. Will cover broken SSL implementations, oAuth token leakage, vulnerable cookie signatures and other brokenness.

Security can never be one-size-fits-all, it requires constant and vigilant configuration, customization and verification. Failure to reevaluate correctness after minor, seemingly unrelated, configuration changes might completely strip any effectiveness of the security measures. Since developers didn't write them, we rely on them understanding the functionality by reading documentation at a level that includes known issues, which is rarely the case.

Since security measures ship with frameworks, sysadmins are also not fully aware of them, how they function, and what their failure modes look like. The demarcation line is unclear and as a result things fall through the cracks. Often times the simplest countermeasure is to bring it fresh pairs of eyes.


Day: 2016-09-15
Start time: 10:00
Duration: 00:30
Room: Main Stage
Track: Defense
Language: en


Concurrent Events