AppSec California 2020, January 21-24 at the Annenberg Beach House, Santa Monica, CA
Friday, January 24 • 11:55am - 12:45pm
How do JavaScript frameworks impact the security of applications?

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
The best way to enable developers to create secure applications is to “shift left” in security. That means providing developers with the tools and techniques that help build more secure applications from the get-go. Developers may get security controls into their applications in different ways. They may write them from scratch following security training or guidance, they may use open source libraries, or they may use frameworks that have the security features built in already. In this talk we explore JavaScript applications that use different types of security controls implemented at levels ranging from developer code, to libraries and plugins, to different frameworks, and analyze which applications actually turn out to be more secure. This work is based on analysis of over 500 open source JavaScript applications on GitHub that use client-side frameworks and template engines to prevent XSS, as well as server-side frameworks (Express, Koa, Hapi, Sails, Meteor) and CSRF prevention mechanisms.
In conclusion, we provide data-driven recommendations for framework maintainers and application developers on how to develop and choose a framework that will actually make applications more secure.

avatar for Ksenia Peguero

Ksenia Peguero

Sr. Research Engineer, Synopsys
Ksenia Peguero is a Sr. Research Engineer within Synopsys Software Integrity Group. She has nine years of experience in application security and five years in software development. Ksenia focuses her research in static analysis and JavaScript security, frameworks, and technologies... Read More →

Friday January 24, 2020 11:55am - 12:45pm PST
Club Room