There is no English translation for this web page.
Warn if Secure or How to Deal with Security by Default in Software Development?
LOCATION: TEL, Room Auditorium 3 (20th floor), Ernst-Reuter-Platz 7, 10587 Berlin
Date/Time: 08.07.2019, 14:15-15:00
SPEAKER: Peter Gorski (TH Köln)
In this paper we study the effectiveness and efficiency of Content Security Policy (CSP) enforced as security default in a web framework. When deployed correctly, CSP is a valid protection mean in a defence-in-depth strategy against code injection attacks. In this paper we present a first qualitative laboratory study with 30 participants to discover how developers deal with CSP when deployed as security default. Our results emphasize that the deployment as security default has its benefits but requires careful consideration of a comprehensive information flow in order to improve and not weaken security. We provide first insights to inform research about aiding developers in the creation of secure web applications with usable security by default.