Software Integrity Blog

Author Archive

Ksenia Peguero

ksenia

Ksenia Peguero is a senior research lead at Synopsys. Her key areas of expertise include JavaScript, TypeScript, HTML5, content security policy, and static analysis. Ksenia loves studying new technologies, finding vulnerabilities in them, and discovering ways to protect them. Before diving into research, she worked as a consultant in a variety of software security practices, including penetration testing, threat modeling, code review, static analysis tool design, customization, and deployment. She presents at conferences frequently, including AppSec California, BSides Security London, and RSA Asia Pacific and Japan. Outside the office, Ksenia is a competitive ballroom dancer.


Posts by Ksenia Peguero:

 

NPM dependencies, supply chain attacks, and Bitcoin wallets

The EventStream incident shows just how easily attackers can infiltrate the open source software supply chain by adding a malicious dependency to a trusted component.

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on NPM dependencies, supply chain attacks, and Bitcoin wallets

 

An escape room called the ‘AngularJS sandbox’

The AngularJS framework has become extremely popular in the last couple of years. There are several reasons for this. First, it provides convenient data binding on the client-side. AngularJS also allows for the decoupling of the HTML template from the page logic written in JavaScript. This makes development much easier. It also allows seamlessly enabling […]

Continue Reading...

Posted in General | Comments Off on An escape room called the ‘AngularJS sandbox’

 

The sacred knowledge of securing JavaScript

JavaScript is gaining more and more popularity not just on the front-end, but also on the back-end, with new frameworks coming out almost every month. On the client-side, we are watching an overwhelming encroachment of AngularJS, which is slowly pushing out Knockout.js, React.js, and Ember.js. On the server-side, Node.js has established its base with Express […]

Continue Reading...

Posted in Security Training, Webinars | Comments Off on The sacred knowledge of securing JavaScript

 

Serving resources over SSL with CSP upgrade-insecure-requests

You know how AppScan Standard and other dynamic testing tools report a finding when an HTTPS page accesses some HTTP resources? How do you fix this issue effectively? Perhaps, the owners of those resources already did all the server-side legwork: obtaining a certificate, configuring the server and setting up redirects. And they’ve ensured that the […]

Continue Reading...

Posted in Web Application Security | Comments Off on Serving resources over SSL with CSP upgrade-insecure-requests

 

Browser implementations of content security policy introduce security problems

In an article from August 2014, Pascal Landau describes how to deanonymize Facebook users by brute forcing Content Security Policy (CSP). The idea is an attacker tricks a user who is currently logged into Facebook to go to the attacker’s page. The attacker page has an iframe pointing to https://facebook.com/me with the CSP policy listing […]

Continue Reading...

Posted in Web Application Security | Comments Off on Browser implementations of content security policy introduce security problems