Thank you for joining us at our 20th Anniversary Event! All sessions were recorded and will be posted in the coming weeks on the OWASP YouTube channel.

We have been working hard to secure the world through challenges and discovery. And now, it’s time to celebrate! Many of you have played a crucial role in the Foundation’s enduring history, and we encourage you to participate in the celebration coming this September! Our theme, Securing the Next 20 Years, is encouraging and exciting as we look ahead to the next 20 years!

Join us for FREE at this live 24-hour global event as we honor the past, celebrate the present, and embrace the future of OWASP and cybersecurity. Hear from world-renowned keynotes and special speakers, and network with your peers. It is FREE to attend, however, registration IS required, to gain access to the session links.

Friday, September 24 • 5:00am - 5:30am
Achieving the Web Isolation Nirvana - How far along are we?

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
​​​​Security isolation is a design principle that improves the resilience of applications against attacks. It works like a second layer of defense that protects the application in the presence of a security breach, by containing the attack to the compromised partition.  Sandboxing is one of the techniques often used to provide isolation by restricting code to a limited permission set. Isolation, in this context, is limiting what can happen if a vulnerability is exploited.  It has a strong tie to the also well-known security principles of Least Privilege and Privilege Separation.

Any application can and should be designed using these principles. However, it is of vital importance for applications that include untrusted or 3rd party code. Companies can do code reviews of untrusted code before using it, but that is prone to oversights and is too costly to be done for every code change. Additionally, code reviews can be difficult to do in situations where there is no ahead of time access to the code, which is usually the case with web applications, where 3rd party vendor services are directly embedded into applications from their remote servers.

Using 3rd party code/components is a growing trend observed in the last decade, and will keep growing, as companies work towards cutting the development time of new applications. This is especially true for Web Applications as high-scale modern Web Applications use dozens of different 3rd party services. Any untrusted code can be compromised and put the rest of the Web Application at risk, potentially leaking sensitive data.

Throughout the years, several solutions and best practices have been advocated for creating Web Applications leveraging Web Isolation. The core security model of Browser-based apps sits upon the Same Origin Policy (SOP), a mechanism that aims to prevent different security domains from interfering with each other in malicious ways. But the SOP is limited to what it can do, and imposes several limitations to how the application is designed. It's neither practical nor economically efficient to split every code partition in its own origin. Iframe Sandboxing was a good complement to SOP, but its adoption is still anemic, as most third party scripts require direct access to the DOM and to other scripts in order to function properly. Despite our best efforts to bring effective Web Isolation and privilege separation to the client-side, we are still struggling.

In this talk, we will attempt to tie in the journey of the last 20 years of Web Isolation to the “next 20 years”.  We’ll make a pit stop in the present, where we’ll showcase a client-side sandboxing solution that is transparent, does not require any browser modification and can be embedded into any Web Application.  We can pontificate on  what will be the likely state of Web Isolation for  applications deployed in the future.  And lastly, we can discuss where the security challenges will likely be located and how we, the security community, need to work together in order to overcome those challenges.

avatar for Jasvir Nagra

Jasvir Nagra

Security Engineer, Dropbox
Jasvir Nagra is widely recognized as a thought leader in software protection. He is co-author of Surreptitious Software, the definitive textbook on software protection, and an early researcher in obfuscation, software watermarking, and fingerprinting. With more than 12 years of experience... Read More →
avatar for Pedro Fortuna

Pedro Fortuna

CTO and Founder, Jscrambler
Once on a trajectory to a full academic career, where he taught security and computer science courses for about 5 years - ended up falling in love with the fast paced world of entrepreneurship. Started Jscrambler where he leads all security research and drives the company product... Read More →

Friday September 24, 2021 5:00am - 5:30am EDT