This time, we interviewed no one less then the international security expert Dr. Philippe De Ryck, GDE.
ANGULARarchitects: Philippe, you are specialized into security for modern web applications. However, modern Frameworks are becoming safer and safer. For instance, Angular is automatically encoding all bound data. Is your job at stake?
Philippe: Honest answer ... I wish that were true, because that would mean we've made tremendous progress in building more secure applications.
In reality, I do see a significant improvement in frameworks’ approach towards security. For example, Angular offers built-in defenses against Cross-Site Scripting, which is a great way to be secure-by-default. Of course, developers still need to know how when these automatic defenses apply, and how to avoid vulnerabilities by accidentally circumventing them.
ANGULARarchitects: You mentioned Cross-Site Scripting (XSS). It's been there for years. Why haven't we found an easy and good way to prevent it yet?
Philippe: That’s not such an easy question to answer. On one level, XSS is inherent to the web. Whenever you mix untrusted data with some markup and ask the browser to render it, there’s a potential XSS vulnerability.
Avoiding XSS is possible when you rigorously follow secure coding guidelines. Unfortunately, doing that consistently across different teams and for different use cases is less than trivial.
ANGULARarchitects: Which options do we currently have for preventing XSS?
Philippe: Well, on one hand, we have secure coding guidelines that avoid XSS vulnerabilities altogether. On the other hand, there are defense-in-depth mechanisms that you use in case your application still contains a vulnerability and something does go wrong. Two example techniques are Content Security Policy (CSP) and Trusted Types.
ANGULARarchitects:: Implementing CSP can be quite a challenge. Why?
Philippe: CSP is a bit of a mess. There’s the old versions, also known as level 1 and level 2, which are considered mostly deprecated. Elaborate level 2 CSP policies are often easy to bypass, which negates most of the benefits of CSP. Then you have level 3, which fixes a bunch of issues, but is also less compatible with frameworks such as Angular and React. Deploying CSP correctly in modern applications takes quite a bit of knowledge. In fact, in this workshop, we spend a few hours on learning how to configure CSP for Angular applications.
ANGULARarchitects: Can you tell us a bit more about trusted types?
Philippe: Trusted Types is a browser security mechanism that eliminates dangerous assignments to the innerHTML property. In a nutshell, it forces you to either use a clean and secure coding style, or to explicitly handle security with a Trusted Types policy.
Going into details would take us a bit too far here, but one final thing to know: Angular is a big fan of Trusted Types and supports it out of the box since version 11.
ANGULARarchitects: Recently, a new version of the OWASP Top 10 was released. What would you recommend according to their findings?
Philippe: The OWASP top 10 is intended to raise awareness about issues. One important observation is that the Top 10 is trying to address fundamental security issues in software, which already starts in the early design phases.
I would say that the most important realization for security in general is that it’s a process, not a step. Security has to play a role in the design phase, during development, but also in testing and deployment.
ANGULARarchitects: After several years, the OAuth 2 team put together several best practices that revise several things we find in the original spec. Does this mean, OAuth 2 has major flaws and do we need to worry now.
Philippe: Major flaws would typically be addressed with a new release, not an update of best practices. What we see in the OAuth 2.0 landscape is a natural evolution of various use cases. Over the last 9 years, the kind of applications we build has changed, but so have browser capabilities and deployment models.
In essence, a protocol such as OAuth 2.0 naturally evolves, which requires a specification that outlines current best practices.
And in case you did not know yet, OAuth 2.1 will consolidate a number of these new recommendations in a single document.
ANGULARarchitects: How would you use OAuth 2 for Angular-based SPAs nowadays?
Philippe: Fully securing OAuth 2.0 in a frontend application is actually quite challenging. The best way to build a secure application using OAuth 2.0 is to combine the frontend with a simple server-side component, known as a “Backend For Frontend”. This way, you can push delicate security logic to a server-side component, which enables you to follow all of OAuth 2.0’s best practices.
ANGULARarchitects: Are there any developments in the area of security you are looking forward to?
Philippe: Yes, of course. I’m looking forward to more security support in modern environments. Browsers are actively pushing for more security by supporting a whole range of interesting features. Just look at the security headers that have been introduced in the latest years, or the upcoming sanitization API.
ANGULARarchitects: Let's talk about your Angular Security workshop you are going to do in October. Which topics do you cover?
Philippe: In the workshop, we dive deep into Angular security.
We start with a couple of fundamental security principles for frontends that play a crucial role in the design of a secure application.
We cover XSS attack vectors and secure coding guidelines for Angular applications. We also dive into CSP and Trusted Types as additional defenses.
After we have covered these topics and did some hands-on exercises, we look into best practices for using OAuth 2.0 in Angular applications. We cover the latest flows, along with the security challenges that arise in SPAs. I’ll also discuss the Backend For Frontend pattern in quite a bit of detail.
ANGULARarchitects: Whom would you recommend this workshop?
Oh, that’s easy. Anyone involved in designing or building Angular applications. Each time we run this workshop, people use their newfound knowledge to assess their own applications, typically finding actual issues in their production apps.
This workshop is packed with actionable advice, so everyone working with Angular will get something out of it.
ANGULARarchitects: The workshop is conducted as an interactive online workshop. Is this as good as an onsite workshop?
Philippe: If you want it to be, absolutely! Just like my onsite workshops, I make the online workshop interactive. There are demos in between the lectures, and we run plenty of interactive quizzes throughout the workshop.
But what makes an online workshop really good is input from the attendees. If they ask questions, I have a chance to elaborate on relevant topics. Sometimes people pitch in with their own experiences, making this a true interactive event. I really enjoy and encourage that.
ANGULARarchitects: Thanks for your time, Philippe.
Philippe: You’re welcome!
Become an Angular Security Expert with our Workshop!
Learn from no one less then Dr. Philippe De Ryck everything you need to know to secure your Angular applications.