Content Security Policy (CSP) - Another example on application security and "assumptions vs. reality"

Content Security Policy

Software applications have been around for quite some time. Since the first security vulnerabilities and corresponding exploits emerged from the back rooms of software development and administration departments in the 80ties it took software vendors more than two decades before they slowly started reacting on the tens of thousands of security defects which have been published in a more or less responsible manner by security researchers and other people stumbling upon them frequently.

The sad story is that instead of addressing the root of the problem which, as we all know, is proper software development engineering methods and application security programs, most of the SW vendors and big players in our industry chose to go a completely alternative path which would take away responsibility from the engineers and developers and introduce additional protective security layers to operating systems, development frameworks, servers, clients and even the applications themselves.

Content Security Policy (CSP) | Sec-consult Blog