Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Home
  • Attend
    • Venue, Hotel, and Travel
    • Students and Grants
    • Co-Located Workshops
  • Program
    • At a Glance
    • Technical Sessions
    • Poster Session
  • Activities
    • Birds-of-a-Feather Sessions
    • Poster Session
    • WiPs
  • Participate
    • Call for Papers
      • Important Dates
      • Symposium Organizers
      • Symposium Topics
      • Refereed Papers
      • Shadow PC
      • Symposium Activities
      • Submitting Papers
    • Instructions for Participants
  • Sponsorship
  • About
    • Symposium Organizers
    • Services
    • Questions
    • Help Promote!
    • Past Symposia
  • Home
  • Attend
    • Venue, Hotel, and Travel
    • Students and Grants
    • Co-Located Workshops
  • Program
  • Activities
  • Participate
    • Call for Papers
    • Instructions for Participants
  • Sponsorship
  • About
    • Symposium Organizers
    • Services
    • Questions
    • Help Promote!
    • Past Symposia

sponsors

Platinum Sponsor
Gold Sponsor
Gold Sponsor
Silver Sponsor
Silver Sponsor
Silver Sponsor
Bronze Sponsor
Bronze Sponsor
General Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Industry Partner
Industry Partner

help promote

USENIX Security '16 button

Get more
Help Promote graphics!

connect with usenix


  •  Twitter
  •  Facebook
  •  LinkedIn
  •  Google+
  •  YouTube

twitter

Tweets by USENIXSecurity

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home ยป Preventing Security Bugs through Software Design
Tweet

connect with us

Preventing Security Bugs through Software Design

Thursday, August 13, 2015 - 11:00am-12:30pm

Christoph Kern, Google

Abstract: 

Many security bugs, such as Cross-Site-Scripting (XSS), SQL injection, buffer overruns, etc, are in isolation relatively straightforward to understand and avoid. Nevertheless, it tends to be surprisingly hard to prevent their introduction in large-scale software development: Large pieces of software have many code sites where such a bug could be potentially introduced, and large systems make it difficult to identify bugs once they exist.

This talk describes our approach to preventing the introduction of certain classes of security bugs in large-scale software development projects at Google. We present design patterns to confine the potential for XSS vulnerabilities to a very small, manually auditable fraction of an application's code base. These patterns have been applied to several of Google's flagship services and their underlying web application frameworks, and have resulted in a drastic reduction of XSS bugs observed. We will discuss the applicability of bug-prevention approaches based on framework and API design to other vulnerabilities classes such as SQL injection, and close with observations on the practicality of their integration into real-world, large scale software development projects.

Christoph Kern has been an Information Security Engineer at Google since 2003. Since 2012, he has been leading a team focused on the prevention and mitigation of security vulnerabilities in Google's applications and services through framework, API, and platform design. Christoph is a founding contributor to the IEEE Computer Society Center for Secure Design, and serves on the CSD's steering committee.

Christoph Kern, Google

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@conference {208807,
author = {Christoph Kern},
title = {Preventing Security Bugs through Software Design},
year = {2015},
address = {Washington, D.C.},
publisher = {USENIX Association},
month = aug,
}
Download
View the slides

Presentation Video 

Presentation Audio

MP3 Download

Download Audio

  • Log in or    Register to post comments

Platinum Sponsors

Gold Sponsors

Silver Sponsors

Bronze Sponsors

General Sponsors

Media Sponsors & Industry Partners

Open Access Publishing Partner

© USENIX

  • Privacy Policy
  • Contact Us