Download the presentation PDF file: Covalence-2020-Carettoni-DemocratizingElectronSecurity.pdf
We love Electron.js so much, that we break it. Since 2017, we have audited dozens of Electron-based applications and witnessed a remarkable commitment to security. Back then, breaking the framework’s security mechanisms wasn’t too difficult. Fast forward to 2020, Electron.js is getting better, secure-by-default settings are slowly becoming the norm, vulnerability disclosure is handled with consolidated practices, and the dev community is gradually learning all common pitfalls.
It is better, but there is still a long road ahead. Responsibilities must be equally shared between core contributors and application developers. While the most effective way to bring security capabilities to everyone is to have them built into the framework, it is also important to have a community that considers security as a core value. Closing the web-native desktop gap is not trivial as we have to balance security with usability and framework flexibility.
In this talk we want to celebrate the progress made and discuss the technical challenges that both Electron.js maintainers and application developers are facing when building secure desktop applications. We will show common vulnerabilities and misconfigurations, discuss root causes and provide practical tips on how to mitigate existing attacks. If you care about Electron.js security, this talk is for you!