Lukas Weichselbaum

One of my teams at Google, 𝗔𝗜 𝗔𝗴𝗲𝗻𝘁 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆, is expanding in 𝗭𝘂𝗿𝗶𝗰𝗵 🇨🇭and 𝗡𝗲𝘄 𝗬𝗼𝗿𝗸 🇺🇸. We're looking for 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗘𝗻𝗴𝗶𝗻𝗲𝗲𝗿𝘀 with experience in attacking and securing AI/ML systems. DMs open.

Safari Tech Preview 215: Added support for Trusted Types 🎉

webkit.org/blog/16523/r...

Security Signals: Making Web Security Posture Measurable At Scale

Excited to present Security Signals with @ddworken.bsky.social and @webappsec.dev, my primary project at Google for the past five years. Thanks, @madwebwork.bsky.social!

Paper: research.google/pubs/securit...
Slides: speakerdeck.com/mikispag/sec...

Blog: Secure by Design: Google's Blueprint for a High-Assurance Web Framework Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.

Building secure web apps shouldn't be a burden. We've built a high-assurance web framework at Google that makes security easy for developers. Learn about our "Secure by Design" approach and how it works in our new blog post:
bughunters.google.com/blog/6644316...

cc: @ddworken.bsky.social

Thank you!

Blog: Secure by Design: Google's Blueprint for a High-Assurance Web Framework Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.

great list! if you steel have free slots, I'd be grateful to be added as well. I post/blog mostly about web security. Latest: bughunters.google.com/blog/6644316...

Blog: Secure by Design: Google's Blueprint for a High-Assurance Web Framework Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.

Building secure web apps shouldn't be a burden. We've built a high-assurance web framework at Google that makes security easy for developers. Learn about our "Secure by Design" approach and how it works in our new blog post:
bughunters.google.com/blog/6644316...

cc: @ddworken.bsky.social

Deserved!

Added! 🚀

Blog: The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!) The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog pos...

The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!)

bughunters.google.com/blog/6355265...

Blog: Externalizing the Google Domain Tiers Concept Do you want to know more about the concept of domain tiers, understand how they are applied at Google, and view a list of Google's highest sensitivity domains? Take a look at this blog post to find ou...

I haven't looked into MITRE's methodology, but at Google we're using "domain tiers": bughunters.google.com/blog/4562175...
On TIER0 domains a critical vulnerability (e.g. XSS or authorization bypass) could lead to a full compromise of a user's account or execution of code on their or a cloud system.

Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.

Welcome @shhnjk.bsky.social 🎉

Thank you 🙏

This is my #IT, #Infosec, and #Cybersecurity starter pack.
There’s plenty of room if some people want to be added too. But here are some feeds and people I recommend following

go.bsky.app/QYMa3yN

If you still have a spot, I'd love to get added. I write about web security, web platform security features and safe by design principles

These are all good points. One way to get good visibility into XSS issues on sensitive services is via bug bounty programs.
At least this worked very well for us.
Also CSP was a part of our approach of mitigating XSS at scale. See page 7: static.googleusercontent.com/media/public...

Yes, this works (and imho the only approach that works at scale). See page 7 of Google's secure by design whitepaper: static.googleusercontent.com/media/public...

Cross-Site Scripting: 2024's Most Dangerous Software In addition to XSS, MITRE and CISA's 2024 list of the 25 most dangerous security vulnerability types (CWEs) also flagged out-of-bounds write, SQL injection, CSRF, and path traversal.

MITRE: Cross-Site Scripting Is 2024's Most Dangerous Software Weakness

www.darkreading.com/application-...

Unfortunately, the only way to make this work right now is by adding 'strict-dynamic' to your CSP. This an issue that comes up frequently, but we haven't so far been able to come up with an elegant way to this address this in the web platform.

cc: @mikewe.st @arturjanc.bsky.social

Sure, added! Please add me to your Swiss Cyber Security package as well, I've been in CH since more than 10 years now =)

bsky.app/starter-pack...

Must have been quite a journey! Congrats!

Of course! Added! So great that you're here too

Mamma mia!

facebook error

netflix error

okta error

whatsapp error

Handling Cookies is a Minefield:

Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.

grayduck.mn/2024/11/21/h...

Congratulations, this is amazing!
Since you asked, our Google CSP/Reporting API collector currently processes ~3.5B reports per day. That's for CSP, COOP, Trusted Types, and custom reporting.
It has enabled us to truly scale up deployment of web platform security features across Google in a safe way

✋ web security & web platform security features nerd and in a hate/love relationship with CSP (it's complicated)

Check out @j-opdenakker.bsky.social starter pack too: go.bsky.app/HDnVb6K

absolutely! Added =)

Welcome Eduardo 🥳
Added you to the starter pack