Aaron Shim
Jen Ozmen is a Software Engineer at Google, where she works on the Information Security Engineering team. She is passionate about building secure and reliable software, and she is always looking for new ways to improve the security of Google's products and services.
Aaron is a software engineer at Google who focuses on web security features and adoption across all Google products. Before working on security, he was on product teams for Google Cloud and Google Workspace. Before Google, he had a brief stint at Microsoft. Prior to big tech, he wrote a lot of Ruby on Rails code.
Session
Cross-site scripting (XSS) still continues to be the dominant class of bugs exploited on the web today. Over the past decade, Google's security and product teams have invested heavily in developing scalable defenses, including code hardening measures and adopting web platform features that prevent or mitigate XSS across our ecosystem. In this talk, we will provide developers with a blueprint for enabling robust XSS protections in their code.
We will share our stories of how we rolled out our two biggest runtime protections against XSS (strict Content Security Policy and Trusted Types) at scale– as well as compile-time protections that complement them– across hundreds of products accessed by billions of users. We'll share technical lessons learned and summarize our best practices to keep your code secure as well.
In addition, we will explore a bit of what the future has in store for anti-XSS protections– including what we would like to see as platform-level defaults to truly eradicate XSS as an endemic problem in all webapps.