Security Signals - A framework to scale web security

Slawomir Goryczka

Software Engineer in Security,Google

Abstract

Ensuring the security of web applications developed by many different engineers requires a solid understanding of security details and can be quite hard to scale. Thus, a web security team should also own the rollouts of security features. This requires a mindset shift, and high-quality metrics and tools to perform such changes. In this session, we'll explore Security Signals, a framework for collecting and processing aggregated and de-identified traffic logs across all Google web properties. Using the adoption of strict CSP as an example, we will take a closer look at how all components work.

Video Chapters 13

00:00:00 Intro

00:01:06 Introduction to Web Security

00:12:06 Signal Collection Fundamentals

00:20:33 Organic Security Signals

00:23:45 Synthetic Security Signals

00:28:29 Processing Signals

00:35:14 Using Data to Improve Security

00:43:32 Security Signals Framework Goals

00:45:03 Use Case: Research and Remediations

00:46:39 Use Case: Adoption of Mitigations

00:53:16 Example: Cross-Site Request Forgery

01:04:55 Security Signals Infrastructure

01:06:01 Q & A