What is CSP and why haven't you applied it yet? presented at OWASPAppSecCalifornia 2014

by Patrick Thomas, Joel Weinberger, Scott Behrens, Kenneth Lee, Ian Melven, Caleb Queern, Garret Robinson,

Summary : It’s 2013, and cross-site scripting is still on the OWASP top 10, ten years after it was in the number four slot on the same list. Cross-site scripting, although seemingly easy to remediate, continues to be problematic for developers, as edge cases crop up where the typical mitigation strategies are confusing. However advances in modern browser security provide developers the opportunity to become far more proactive in addressing this vulnerability class using a technology known as content-security policy (CSP).
When configured and implemented correctly, CSP can severely cripple cross-site scripting attacks. Big technology companies such as Twitter, Facebook, Etsy, and Github are using this to transparently protect their end users from this common vulnerability class.
This session is a combination of short micro talks and a panel discussion geared at getting you the tools needed to understand and implement CSP.
The first microtalk will be a primer to CSP. We will break down what CSP is and provide you the tools to get started with it. The next microtalk is centered around how to sell CSP to management, and techniques to increase adoption in your organization. The final microtalk is around what the web may look like in 5 years, and how content-security policy will play a key role in mitigating increasingly potent client-side attacks.