Preventing Security Bugs through Software Design

Many security bugs, such as Cross-Site-Scripting (XSS), SQL injection, buffer overruns, etc, are in isolation relatively straightforward to understand and avoid. Nevertheless, it tends to be surprisingly hard to prevent their introduction in large-scale software development: Large pieces of software have many code sites where such a bug could be potentially introduced, and large systems make it difficult to identify bugs once they exist.

This talk describes our approach to preventing the introduction of certain classes of security bugs in large-scale software development projects at Google. We present design patterns to confine the potential for XSS vulnerabilities to a very small, manually auditable fraction of an application's code base. These patterns have been applied to several of Google's flagship services and their underlying web application frameworks, and have resulted in a drastic reduction of XSS bugs observed. We will discuss the applicability of bug-prevention approaches based on framework and API design to other vulnerabilities classes such as SQL injection, and close with observations on the practicality of their integration into real-world, large scale software development projects.

Christoph Kern has been an Information Security Engineer at Google since 2003. Since 2012, he has been leading a team focused on the prevention and mitigation of security vulnerabilities in Google's applications and services through framework, API, and platform design. Christoph is a founding contributor to the IEEE Computer Society Center for Secure Design, and serves on the CSD's steering committee.