Profile avatar
webappsec.dev
Leading Google's web security team. Passionate about web security and making secure-by-default web development the norm. Contributed to web platfom security features like CSP, Fetch Metadata, COOP and Trusted Types.
53 posts 2,019 followers 672 following
Regular Contributor
Active Commenter
Posts 16 Comments 34
comment in response to post
Thank you!
submitted 23 days ago
comment in response to post
great list! if you steel have free slots, I'd be grateful to be added as well. I post/blog mostly about web security. Latest: bughunters.google.com/blog/6644316...
submitted 23 days ago
comment in response to post
Deserved!
submitted 32 days ago
comment in response to post
Added! 🚀
submitted 84 days ago
comment in response to post
I haven't looked into MITRE's methodology, but at Google we're using "domain tiers": bughunters.google.com/blog/4562175... On TIER0 domains a critical vulnerability (e.g. XSS or authorization bypass) could lead to a full compromise of a user's account or execution of code on their or a cloud system.
submitted 86 days ago
comment in response to post
Thank you 🙏
submitted 93 days ago
comment in response to post
If you still have a spot, I'd love to get added. I write about web security, web platform security features and safe by design principles
submitted 93 days ago
comment in response to post
These are all good points. One way to get good visibility into XSS issues on sensitive services is via bug bounty programs. At least this worked very well for us. Also CSP was a part of our approach of mitigating XSS at scale. See page 7: static.googleusercontent.com/media/public...
submitted 93 days ago
comment in response to post
Yes, this works (and imho the only approach that works at scale). See page 7 of Google's secure by design whitepaper: static.googleusercontent.com/media/public...
submitted 93 days ago
comment in response to post
Unfortunately, the only way to make this work right now is by adding 'strict-dynamic' to your CSP. This an issue that comes up frequently, but we haven't so far been able to come up with an elegant way to this address this in the web platform. cc: @mikewe.st @arturjanc.bsky.social
submitted 93 days ago
comment in response to post
Sure, added! Please add me to your Swiss Cyber Security package as well, I've been in CH since more than 10 years now =) bsky.app/starter-pack...
submitted 94 days ago
comment in response to post
Must have been quite a journey! Congrats!
submitted 95 days ago
comment in response to post
Of course! Added! So great that you're here too
submitted 95 days ago
comment in response to post
Mamma mia!
submitted 96 days ago
comment in response to post
✋ web security & web platform security features nerd and in a hate/love relationship with CSP (it's complicated)
submitted 97 days ago
comment in response to post
Check out @j-opdenakker.bsky.social starter pack too: go.bsky.app/HDnVb6K
submitted 98 days ago
comment in response to post
absolutely! Added =)
submitted 98 days ago
comment in response to post
Welcome Eduardo 🥳 Added you to the starter pack
submitted 98 days ago
comment in response to post
@webappsec.dev has go.bsky.app/Uf8dZhz, it's a good one.
submitted 98 days ago
comment in response to post
That's great news, really love the high quality the content! The last two are already in the starter pack 👍
submitted 99 days ago
comment in response to post
Thank you! It's really great to see the community grow here!
submitted 100 days ago
comment in response to post
Also Signatures allows for nice advanced code provenance use cases like removing the CDN form the TCB by signing an OSS build in a github workflow and have the CDN pass on the pubkey.
submitted 101 days ago
comment in response to post
Indeed signatures have different security properties, but since trusting a signature is an opt-in feature, I'm not worried about this.
submitted 101 days ago
comment in response to post
added, thank you!
submitted 101 days ago
comment in response to post
also please join me in thanking @mikewe.st, @ddworken.bsky.social and @yoav.ws for pushing this forward!
submitted 101 days ago
comment in response to post
yeah, although the risk is that there'll be funky vendor solutions until there's browser support for proper solutions (like we proxy all scripts through our service or do some funky scanning to check if any of your scripts have changed)
submitted 101 days ago
comment in response to post
@skypacks.bsky.social FYI =)
submitted 101 days ago
comment in response to post
cc: @scotthelme.bsky.social reporting is being worked on as well
submitted 101 days ago
comment in response to post
this should qualify to being added to a starter pack for web security =D go.bsky.app/Uf8dZhz
submitted 101 days ago
comment in response to post
Really love the energy here! Here's a starter pack for web security: go.bsky.app/Uf8dZhz
submitted 101 days ago
comment in response to post
I'm using burp for like 15 years now, but @agarri.fr's training was absolutely mind blowing and really super charged my burp skills!
submitted 102 days ago
comment in response to post
Amazing list! Thank you very much! I do a lot of web sec stuff as well and also started a list in case you'd like to add some more awesome folks to your starter pack =) bsky.app/starter-pack...
submitted 102 days ago
comment in response to post
that's a really nice one! thank you!
submitted 102 days ago
comment in response to post
You did the right thing 😉
submitted 102 days ago