Software Integrity Blog

Author Archive

Ksenia Peguero

ksenia

Ksenia Peguero is a senior research lead at Synopsys. Her key areas of expertise include JavaScript, TypeScript, HTML5, content security policy, and static analysis. Ksenia loves studying new technologies, finding vulnerabilities in them, and discovering ways to protect them. Before diving into research, she worked as a consultant in a variety of software security practices, including penetration testing, threat modeling, code review, static analysis tool design, customization, and deployment. She presents at conferences frequently, including AppSec California, BSides Security London, and RSA Asia Pacific and Japan. Outside the office, Ksenia is a competitive ballroom dancer.


Posts by Ksenia Peguero:

 

NPM dependencies, supply chain attacks, and Bitcoin wallets

The EventStream incident shows just how easily attackers can infiltrate the open source software supply chain by adding a malicious dependency to a trusted component.

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on NPM dependencies, supply chain attacks, and Bitcoin wallets

 

An escape room called the ‘AngularJS sandbox’

The AngularJS framework has become extremely popular in the last couple of years. There are several reasons for this. First, it provides convenient data binding on the client-side. AngularJS also allows for the decoupling of the HTML template from the page logic written in JavaScript. This makes development much easier. It also allows seamlessly enabling a content security policy into your application. Second, AngularJS makes creating single-page applications very easy. This is because every “page” is now a view that the client-side code can route to, passing the state of the application within scope variables. Third, AngularJS provides good protection from cross-site scripting (XSS) out of the box. The framework comes with automatic contextual output encoding. This applies the right encoding scheme to user input depending where the input ends up in the page (in the URL, as an HTML attribute, or as an HTML tag).

Continue Reading...

Posted in General | Comments Off on An escape room called the ‘AngularJS sandbox’

 

The sacred knowledge of securing JavaScript

JavaScript is gaining more and more popularity not just on the front-end, but also on the back-end, with new frameworks coming out almost every month. On the client-side, we are watching an overwhelming encroachment of AngularJS, which is slowly pushing out Knockout.js, React.js, and Ember.js. On the server-side, Node.js has established its base with Express as the main companion. But new web frameworks and specialized frameworks like Hapi.js, Sails.js, and Socket.IO are growing like mushrooms after a good rain. And then there are the new kids on the block to consider like Meteor and Aurelia that are popular for prototyping and are beginning to make their way to real production environments.

Continue Reading...

Posted in Security Training | Comments Off on The sacred knowledge of securing JavaScript

 

Serving resources over SSL with CSP upgrade-insecure-requests

You know how AppScan Standard and other dynamic testing tools report a finding when an HTTPS page accesses some HTTP resources? How do you fix this issue effectively?

Continue Reading...

Posted in Web Application Security | Comments Off on Serving resources over SSL with CSP upgrade-insecure-requests

 

Browser implementations of content security policy introduce security problems

We review how attackers can use a browser’s content security policy to trick users and potentially gather personal information, with a Facebook example.

Continue Reading...

Posted in Web Application Security | Comments Off on Browser implementations of content security policy introduce security problems