How to REACT to JavaScript Security Issues

Presented at LocoMocoSec 2018, April 5, 2018, 3 p.m. (40 minutes).

According a StackOverflow survey, JavaScript is the most commonly used programming language on earth. JavaScript ecosystem is vast and complex. It includes JavaScript on the client-side, on the server-side, in mobile applications, and even in database engines. [Today](http://airmail.calendar/2018-03-05%2012:00:00%20HST) just the client-side JavaScript space offers over 50 frameworks. The amount of application logic that is executed in the browser is growing every year, which means the attack surface is growing as well. Which security issues are most common in JavaScript applications? Do new frameworks provide the security controls needed to protect the growing amount of client-side code? In this talk we will answer these questions and, as an example, we will look at one of the hottest JavaScript frameworks [today](http://airmail.calendar/2018-03-05%2012:00:00%20HST) – React. We will discuss its new features like components and server-side DOM rendering, analyze React’s security posture and demonstrate existing vulnerabilities.

Presenters:

  • Ksenia Peguero - Synopsys
    Ksenia Dmitrieva-Peguero is a Principal Consultant within Synopsys’ Software Integrity Group. She has seven years of experience in application security and five years of software development experience. Ksenia is a subject matter expert in a variety of software security practices including static analysis tool design, customization, and deployment, penetration testing, and threat modeling. Over the years she performed numerous engagements for clients in financial services, entertainment, telecommunications, energy, and enterprise security industries. Throughout her career as a consultant, Ksenia has established and evolved secure coding guidance for many different firms, and has delivered numerous software security training sessions. She currently focuses on analyzing JavaScript frameworks and HTML5 technologies, researching their security implications, vulnerability discovery, and recommending best practices. Ksenia speaks regularly at events around the world, such as BSides Security in London, Nullcon in India, AppSec California, RSA Asia Pacific & Japan in Singapore, and AppSec Europe in Italy, and also has served on review boards of AppSec USA and AppSec EU conferences. Ksenia holds an MS in Computer Science from George Washington University and is currently pursuing her PhD.

Links:

Similar Presentations: