Web Security Training
Navigating the web security landscape
Navigating the web security landscape
I hope you enjoyed the training course. I'm sure you already learned a lot about web security, common attacks and their defenses. This page offers you further reading material, and links to useful resources. If you want to stay up to date in the future, I highly recommend to subscribe to our mailing list using the button below.
As an overall introduction, I can highly recommend Mike West (Google) his keynote speech about Hardening the Web Platform. The links below go into more detail on the topics that we covered in the training.
The links below explain a few topics from the course in a lot more detail.
An excellent write-up of the cryptographic errors that have been uncovered in the Adobe breach
A blog post about the advantages of the YubiKey
The FIDO U2F security reference, which clearly gives an overview of the threats U2F counters.
The SameSite cookie flag explained in more detail
An account from an IE engineer who came up with cookie prefixes, which are ironically supported by most browsers except IE
An informative blog post with a list of JWT Best Practices
A few pointers to some practical information on authentication and authorization.
An overview of the biggest data breaches over time
A detailed account of how Dropbox goes out of their way to store your passwords securely.
Practical advice on addressing the top challenges with implementing U2F-based multi-factor auhtentication.
A description of Facebook's delegated recovery mechanism
Using authentication tokens in a Single Page Application
Additional information on Cross-Site Scripting and Content Security Policy can be found below.
A very clear overview of XSS attacks and defenses, ideal to sharpen your understanding of XSS
A detailed blog post on template injection in AngularJS applications using the orderBy filter
The blog post series on deploying CSP at Dropbox
GitHub's well-documented CSP journey
Strict-dynamic, presented by Google engineers at AppSec 2016
A few practical resources and tools to combat XSS attacks
OWASP's XSS Filter Evasion Cheat Sheet
The CSP Playground, which includes a policy validator for CSP
Google's CSP Evaluator tool to check the security of your CSP policy.
The write-up of the decision and impact of removing the AngularJS Expression Sandbox