A Case Study in Scaling Oversight presented at GlobalAppSec-DC 2019

by Mike Samuel,

Summary : Learn how a seemingly inconsequential code pattern enables development teams to bound the amount of code that needs security scrutiny, how combining it with some specific software pipeline & workflow changes enable a small blue teams to ride herd on a larger, fast moving application development group and how this incentivized investment in security infrastructure within Google.This talk:* uses the Trusted Types WICG proposal to explain the code change,* explains how Google has internally done the same for server-side injection vulns across 6 programming languages and presents bug bounty stats for projects (Gmail and others) that adopted these techniques,* explains how we tweaked Google's code analysis pipeline and commit workflow to enable efficient interactions between security & devs,* identifies analogous (& currently-overlooked) open-source mechanisms,