Presented at
Global AppSec - DC 2019,
Sept. 12, 2019, 4:30 p.m.
(45 minutes).
Learn how a seemingly inconsequential code pattern enables development teams to bound the amount of code that needs security scrutiny, how combining it with some specific software pipeline & workflow changes enable a small blue teams to ride herd on a larger, fast moving application development group and how this incentivized investment in security infrastructure within Google.
This talk:
* uses the Trusted Types WICG proposal to explain the code change,
* explains how Google has internally done the same for server-side injection vulns across 6 programming languages and presents bug bounty stats for projects (Gmail and others) that adopted these techniques,
* explains how we tweaked Google's code analysis pipeline and commit workflow to enable efficient interactions between security & devs,
* identifies analogous (& currently-overlooked) open-source mechanisms,
* explains how some specific integrations guide developers towards secure code patterns and incentivize investment in secure tools & abstractions.
Presenters:
-
Mike Samuel
- Google LLC
Mike Samuel works on Google's technical infrastructure team improving libraries and programming languages to make it easier to produce secure & robust software.
Mike has worked on JavaScript sandboxing, the Secure EcmaScript and other language committee proposals, making template languages XSS-free, tweaking linkers to check system security properties, and providing end-to-end security via safe contract types. He is currently investigating full-stack security.
Mike has previously spoken at various security and developer conferences including ACM CCS, Ajax Experience, Google I/O, JavaOne, Linux Foundation OSLS, OWASP Research, OWASP Appsec, JSConf EU, Node Summit, and Nordic JS.
Links: