Web application security is a complicated matter. To assist site operators in secure web application development, browser vendors offer client-side security mechanisms designed to offer robust protection against common threats. Unfortunately, prior research showed that these mechanisms are often ineffective in practice for several reasons. In this talk, I provide yet another perspective on why client-side security mechanisms often fail, by focusing on the problem of inconsistent configuration. Inconsistencies not only affect web application security, but might also bias the results of web security measurements. In particular, I identify inconsistencies in the adoption of popular client-side security mechanisms like CSP, HSTS and cookie security attributes, which motivates the relevance of this issue and the need for further research on it.
Stefano Calzavara is a tenure-track assistant professor at Università Ca' Foscari Venezia, Italy. He holds a National Scientific License (ASN) for the role of Associate Professor in Computer Science and Information Engineering from the end of 2019.
Stefano’s research focuses on formal methods, computer security and their intersection, with a strong emphasis on web security. Stefano has published 46 papers on these topics at widely recognized international conferences and journals, including IEEE S&P, ACM CCS, NDSS, USENIX Security, WWW, IEEE CSF, ESOP, ACM CSUR, ACM TOPLAS and ACM TWEB. He is pleased to regularly serve in the program committees of a number of scientific events, including flagship conferences like ACM CCS, USENIX Security, WWW, IEEE EuroS&P and IEEE CSF.