The OWASP top 10 is one of the most influential security documents of all time. A couple of years ago, these 10 security issues impacted almost every web application. However, today, the web application landscape has scattered. Monoliths have become frontends, backends, and third-party APIs. As a result, it has become harder to figure out which security measures belong where. Overall, security has gotten a lot more complicated.
In this talk, we explore the relationship between the OWASP top 10 and Angular applications. We will see how some issues are barely relevant in an Angular world. We will discover that Angular addresses some issues out of the box. Moreover, we will learn which issues require the most attention in an Angular application.
RESOURCES MENTIONED IN THIS SESSION
Session slides: https://pragmaticwebsecurity.com/talks/angularowasptop10 (plus a link to a free security cheat sheet)
– Enable the ngSanitize module for sanitization of HTML output: https://docs.angularjs.org/api/ngSanitize
– Info on SCE: https://docs.angularjs.org/api/ng/service/$sce – The decision to remove the expression sandbox in 1.6: http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html – Avoid template injection through the orderBy filter: https://www.synopsys.com/blogs/software-security/angularjs-1-6-0-sandbox/ – Great video on AngularJS security issues by Lewis Ardern: https://www.youtube.com/watch?v=3vuLPzjc4RI
PHILIPPE DE RYCK
Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.