Philippe de Ryck was with us to share valuable tips about security, mainly for Angular, a client-side JavaScript framework. As part of the Start & Scale Week agenda, the “Secure Your Code Masterclass” was the reason why 70 entrepreneurs visited Palácio da Bolsa to learn how they could make Angular apps safer.
The purpose of the masterclass was to explore security threats of Angular applications like the paradigm shift from server-side to client-side applications and its impacts on security, script-based threats and the defenses Angular offers to prevent or minimize these attacks.
The room was full and even extra chairs were needed, which proves that issues related to web security are a concerns for startups and scaleups. However despite this awareness, Philippe De Ryck highlighted the importance of continuous work:
“Awareness is step one, but managing security risks in your applications is a long-term process, and that’s where it becomes hard. Especially in a startup, with a hundred other things to do, it is tempting to neglect security. That’s why I always advice people to take security into account from the early stages, and have it evolve with your product. It seems like a lot of effort at first, but it will give you a competitive advantage in the end.”
About the the threats that can affect Angular applications, Philippe provided great insights:
“Traditional script injection attacks are automatically mitigated by Angular. Unfortunately, with the use of these JavaScript frameworks, we now have to deal with a new class of attacks, called “script gadgets”. In such an attack, the injected code is actually harmless text, until it is detected by a framework, which turns it into executable code. Such attacks occur when you combine client-side frameworks with server-side page rendering, or when you combine multiple client-side frameworks together. The best defense against such attacks is to avoid mixing different paradigms together. Alternatively, you can also leverage Angular’s Ahead-of-Time compilation mode to pre-compile the templates, and avoid maliciously injected Angular code from being executed on the client side.”
When comparing Angular with other software, it offers extra value in terms of security. Its architecture is able to offer various security features out of the box. For example, Angular automatically encodes or sanitizes outputs, which mitigates an enormous amount of potential cross-site scripting (XSS) attack vectors. Angular also supports cross-site request forgery (CSRF) defenses out-of-the-box, but you still need to enable that on your backend as well. Philippe left us a final tip to increase the security of your apps:
“The biggest step you can take to boost the security of your application is to approach your front-end as a full-fledged application, instead of merely some HTML and JavaScript. Modern web applications require a thought-out architecture, using compartmentalization of sensitive parts, and isolation of untrusted components. Technologies such as HTML5 sandboxes and Content Security Policy (CSP) can really help to reduce the capabilities of potentially malicious code.”
About the guest:
Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group’s Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.