Stopping XSS with Content Security

To an old establishment grown-up like me, Y Combinator looks like a super hip place. Twice per year, they select a crop of interesting-looking start-up companies, and then offer expert advice, guidance, and connections in exchange for a 7% slice of equity. (And yes, I’m copying all this from Wikipedia.) The company has invested in 1,450 cool start-ups since 2006, and their alumni logo chart looks something you’d see on the wall at Harvard Business School.

One of the West Coast participants in the Y Combinator program this past summer was a small company called Templarbit. I spent some quality time last week with Bjoern Zinssmeister, co-founder and CEO of the company, and I found the discussion fascinating. With backgrounds in bug bounty development, Bjoern and his team are now focused on preventing cross site scripting (XSS) attacks in web applications.

The initial basis for much of their current work is the Content Security Policy (CSP) standard invented to reduce the risk of XSS, click-jacking, and other code injection attacks. The concept, first designed for Firefox by Robert Hansen in 2004, is that the web server makes a declaration of which origins are approved for download by the browser. Supported technologies include JavaScript, CSS, and HTML5.

The Templarbit solution identifies the CSP deficiency and provides additional support for application and website owners to reduce security risk. The enterprise platform embeds agents into clients and app servers to support behavioral data exchange. “We are using the OWASP Top Ten as our guide,” Bjoern explained, “and we began with the cross-site vulnerability because it is the most common security issue in web applications.”

After our discussion, I went in and signed up for the free trial version of Templarbit from their download site and sure enough – it detected deficiencies in my own website. I received a well-formatted report suggesting the proper approach to mitigation. “We’ve tried to establish our tool as the easiest-to-use, and easiest-to-deploy web application security tool on the market,” Bjoern said. “It is one of our primary value propositions.”

I’m glad that security companies like Templarbit are focusing in this area, because it’s been my observation that application security represents perhaps the greatest cyber risk to the typical modern enterprise. This stems from immature software processes, poorly designed SDLCs, sloppy programming practices, and all the other challenges that have plagued software engineering since its inception fifty years ago.

With new platforms such as Templarbit, however, perhaps we can expect to see some security improvements in web application software – first for XSS avoidance, and soon for other OWASP vulnerabilities as the company makes progress. And I have no idea if Y Combinator maintains an active role with Templarbit, but if they do, then I hope they will help ensure that Bjoern and his team are sufficiently well-funded to continue improving their solution for enterprise customers.

Let me know what you think.