Lukas Weichselbaum
@webappsec.dev
Leading Google's web security team.
Passionate about web security and making secure-by-default web development the norm. Contributed to web platfom security features like CSP, Fetch Metadata, COOP and Trusted Types.
Passionate about web security and making secure-by-default web development the norm. Contributed to web platfom security features like CSP, Fetch Metadata, COOP and Trusted Types.
Pinned
Lukas Weichselbaum
@webappsec.dev
· Nov 16
If you're into web security take a look at my LocoMocoSec keynote slides from this summer about "Google's Recipe for Scaling (Web) Security": speakerdeck.com/lweichselbau...
One of my teams at Google, 𝗔𝗜 𝗔𝗴𝗲𝗻𝘁 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆, is expanding in 𝗭𝘂𝗿𝗶𝗰𝗵 🇨🇭and 𝗡𝗲𝘄 𝗬𝗼𝗿𝗸 🇺🇸. We're looking for 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗘𝗻𝗴𝗶𝗻𝗲𝗲𝗿𝘀 with experience in attacking and securing AI/ML systems. DMs open.
April 9, 2025 at 6:45 PM
One of my teams at Google, 𝗔𝗜 𝗔𝗴𝗲𝗻𝘁 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆, is expanding in 𝗭𝘂𝗿𝗶𝗰𝗵 🇨🇭and 𝗡𝗲𝘄 𝗬𝗼𝗿𝗸 🇺🇸. We're looking for 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗘𝗻𝗴𝗶𝗻𝗲𝗲𝗿𝘀 with experience in attacking and securing AI/ML systems. DMs open.
Reposted by Lukas Weichselbaum
Excited to present Security Signals with @ddworken.bsky.social and @webappsec.dev, my primary project at Google for the past five years. Thanks, @madwebwork.bsky.social!
Paper: research.google/pubs/securit...
Slides: speakerdeck.com/mikispag/sec...
Paper: research.google/pubs/securit...
Slides: speakerdeck.com/mikispag/sec...
Security Signals: Making Web Security Posture Measurable At Scale
research.google
March 1, 2025 at 7:51 AM
Excited to present Security Signals with @ddworken.bsky.social and @webappsec.dev, my primary project at Google for the past five years. Thanks, @madwebwork.bsky.social!
Paper: research.google/pubs/securit...
Slides: speakerdeck.com/mikispag/sec...
Paper: research.google/pubs/securit...
Slides: speakerdeck.com/mikispag/sec...
Reposted by Lukas Weichselbaum
Building secure web apps shouldn't be a burden. We've built a high-assurance web framework at Google that makes security easy for developers. Learn about our "Secure by Design" approach and how it works in our new blog post:
bughunters.google.com/blog/6644316...
cc: @ddworken.bsky.social
bughunters.google.com/blog/6644316...
cc: @ddworken.bsky.social
Blog: Secure by Design: Google's Blueprint for a High-Assurance Web Framework
Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.
bughunters.google.com
February 4, 2025 at 9:57 AM
Building secure web apps shouldn't be a burden. We've built a high-assurance web framework at Google that makes security easy for developers. Learn about our "Secure by Design" approach and how it works in our new blog post:
bughunters.google.com/blog/6644316...
cc: @ddworken.bsky.social
bughunters.google.com/blog/6644316...
cc: @ddworken.bsky.social
Building secure web apps shouldn't be a burden. We've built a high-assurance web framework at Google that makes security easy for developers. Learn about our "Secure by Design" approach and how it works in our new blog post:
bughunters.google.com/blog/6644316...
cc: @ddworken.bsky.social
bughunters.google.com/blog/6644316...
cc: @ddworken.bsky.social
Blog: Secure by Design: Google's Blueprint for a High-Assurance Web Framework
Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.
bughunters.google.com
February 4, 2025 at 9:57 AM
Building secure web apps shouldn't be a burden. We've built a high-assurance web framework at Google that makes security easy for developers. Learn about our "Secure by Design" approach and how it works in our new blog post:
bughunters.google.com/blog/6644316...
cc: @ddworken.bsky.social
bughunters.google.com/blog/6644316...
cc: @ddworken.bsky.social
The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!)
bughunters.google.com/blog/6355265...
bughunters.google.com/blog/6355265...
Blog: The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!)
The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog pos...
bughunters.google.com
December 4, 2024 at 6:24 PM
The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!)
bughunters.google.com/blog/6355265...
bughunters.google.com/blog/6355265...
Reposted by Lukas Weichselbaum
Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.
Modern solutions against cross-site attacks
Modern solutions against cross-site attacks
frederikbraun.de
November 27, 2024 at 7:50 AM
Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.
Reposted by Lukas Weichselbaum
This is my #IT, #Infosec, and #Cybersecurity starter pack.
There’s plenty of room if some people want to be added too. But here are some feeds and people I recommend following
go.bsky.app/QYMa3yN
There’s plenty of room if some people want to be added too. But here are some feeds and people I recommend following
go.bsky.app/QYMa3yN
November 26, 2024 at 9:19 PM
This is my #IT, #Infosec, and #Cybersecurity starter pack.
There’s plenty of room if some people want to be added too. But here are some feeds and people I recommend following
go.bsky.app/QYMa3yN
There’s plenty of room if some people want to be added too. But here are some feeds and people I recommend following
go.bsky.app/QYMa3yN
MITRE: Cross-Site Scripting Is 2024's Most Dangerous Software Weakness
www.darkreading.com/application-...
www.darkreading.com/application-...
Cross-Site Scripting: 2024's Most Dangerous Software
In addition to XSS, MITRE and CISA's 2024 list of the 25 most dangerous security vulnerability types (CWEs) also flagged out-of-bounds write, SQL injection, CSRF, and path traversal.
www.darkreading.com
November 26, 2024 at 7:43 PM
MITRE: Cross-Site Scripting Is 2024's Most Dangerous Software Weakness
www.darkreading.com/application-...
www.darkreading.com/application-...
Reposted by Lukas Weichselbaum
Handling Cookies is a Minefield:
Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.
grayduck.mn/2024/11/21/h...
Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.
grayduck.mn/2024/11/21/h...
November 21, 2024 at 5:11 PM
Handling Cookies is a Minefield:
Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.
grayduck.mn/2024/11/21/h...
Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.
grayduck.mn/2024/11/21/h...
Congratulations, this is amazing!
Since you asked, our Google CSP/Reporting API collector currently processes ~3.5B reports per day. That's for CSP, COOP, Trusted Types, and custom reporting.
It has enabled us to truly scale up deployment of web platform security features across Google in a safe way
Since you asked, our Google CSP/Reporting API collector currently processes ~3.5B reports per day. That's for CSP, COOP, Trusted Types, and custom reporting.
It has enabled us to truly scale up deployment of web platform security features across Google in a safe way
Over the last 24 hours, report-uri.com has processed more than 1,000,000,000 pieces of telemetry!
This gives us a unique view of JavaScript behaviour across the Web, as observed by over 15,000,000 unique browsers around the World.
Talk about Threat Intelligence capabilities!
This gives us a unique view of JavaScript behaviour across the Web, as observed by over 15,000,000 unique browsers around the World.
Talk about Threat Intelligence capabilities!
November 22, 2024 at 3:14 PM
Congratulations, this is amazing!
Since you asked, our Google CSP/Reporting API collector currently processes ~3.5B reports per day. That's for CSP, COOP, Trusted Types, and custom reporting.
It has enabled us to truly scale up deployment of web platform security features across Google in a safe way
Since you asked, our Google CSP/Reporting API collector currently processes ~3.5B reports per day. That's for CSP, COOP, Trusted Types, and custom reporting.
It has enabled us to truly scale up deployment of web platform security features across Google in a safe way
Reposted by Lukas Weichselbaum
@webappsec.dev has go.bsky.app/Uf8dZhz, it's a good one.
November 21, 2024 at 6:25 AM
@webappsec.dev has go.bsky.app/Uf8dZhz, it's a good one.
Reposted by Lukas Weichselbaum
What do you call a padlock for spiders?
Web security!
...
I'll see myself out...
Web security!
...
I'll see myself out...
November 18, 2024 at 6:46 PM
What do you call a padlock for spiders?
Web security!
...
I'll see myself out...
Web security!
...
I'll see myself out...
Reposted by Lukas Weichselbaum
It took me twelve years (!) to build up my audience on Twitter. It took 5 days to surpass the 50% point of my Twitter following on Bluesky. I’m hopeful that the overall growth on this site will negate the need to go on Twitter altogether. Sad to see what it devolved into, but thrilled to see it die.
November 19, 2024 at 12:11 AM
It took me twelve years (!) to build up my audience on Twitter. It took 5 days to surpass the 50% point of my Twitter following on Bluesky. I’m hopeful that the overall growth on this site will negate the need to go on Twitter altogether. Sad to see what it devolved into, but thrilled to see it die.
Reposted by Lukas Weichselbaum
Bluesky now has over 20M people!! 🎉
We've been adding over a million users per day for the last few days. To celebrate, here are 20 fun facts about Bluesky:
We've been adding over a million users per day for the last few days. To celebrate, here are 20 fun facts about Bluesky:
November 19, 2024 at 6:51 PM
Bluesky now has over 20M people!! 🎉
We've been adding over a million users per day for the last few days. To celebrate, here are 20 fun facts about Bluesky:
We've been adding over a million users per day for the last few days. To celebrate, here are 20 fun facts about Bluesky:
Reposted by Lukas Weichselbaum
Great article about multipart parsing. Reminds me about the bypasses I found in modsec parser medium.com/@terjanq/waf...
November 19, 2024 at 1:13 PM
Great article about multipart parsing. Reminds me about the bypasses I found in modsec parser medium.com/@terjanq/waf...
Signature-based SRI is being spec'd right now:
wicg.github.io/signature-ba...
This will be useful for many use case and become relevant for PCIv4 compliance which requires assuring the integrity of sourced scripts (6.4.3).
Please chime in and share your use cases: github.com/WICG/signatu...
wicg.github.io/signature-ba...
This will be useful for many use case and become relevant for PCIv4 compliance which requires assuring the integrity of sourced scripts (6.4.3).
Please chime in and share your use cases: github.com/WICG/signatu...
November 18, 2024 at 4:13 PM
Signature-based SRI is being spec'd right now:
wicg.github.io/signature-ba...
This will be useful for many use case and become relevant for PCIv4 compliance which requires assuring the integrity of sourced scripts (6.4.3).
Please chime in and share your use cases: github.com/WICG/signatu...
wicg.github.io/signature-ba...
This will be useful for many use case and become relevant for PCIv4 compliance which requires assuring the integrity of sourced scripts (6.4.3).
Please chime in and share your use cases: github.com/WICG/signatu...
Web security starter pack is in good shape now and includes many amazing folks passionate about web security like @terjanq.bsky.social and @shehackspurple.bsky.social:
go.bsky.app/Uf8dZhz
Please share and recommend folks passionate about web security so we can get this community started here 🙂
go.bsky.app/Uf8dZhz
Please share and recommend folks passionate about web security so we can get this community started here 🙂
November 18, 2024 at 3:58 PM
Web security starter pack is in good shape now and includes many amazing folks passionate about web security like @terjanq.bsky.social and @shehackspurple.bsky.social:
go.bsky.app/Uf8dZhz
Please share and recommend folks passionate about web security so we can get this community started here 🙂
go.bsky.app/Uf8dZhz
Please share and recommend folks passionate about web security so we can get this community started here 🙂
Read all about how we made web security measurable at Google! Security signals have allowed us to massively scale our web security program and enabled us to deploy security features like CSP or Trusted Types at scale!
November 17, 2024 at 6:00 PM
Read all about how we made web security measurable at Google! Security signals have allowed us to massively scale our web security program and enabled us to deploy security features like CSP or Trusted Types at scale!
I'm in the process of creating a *web security* starter pack and need your help finding more webbies here. Please share and recommend folks passionate about web security in comments below so we can get this community started here 🙂
go.bsky.app/Uf8dZhz
go.bsky.app/Uf8dZhz
November 17, 2024 at 10:12 AM
I'm in the process of creating a *web security* starter pack and need your help finding more webbies here. Please share and recommend folks passionate about web security in comments below so we can get this community started here 🙂
go.bsky.app/Uf8dZhz
go.bsky.app/Uf8dZhz
Reposted by Lukas Weichselbaum
Excited to share our latest blog post on memory safety! We’re tackling spatial safety in our massing C++ codebase by hardening live++ by default. It adds bounds checks to things like std::vector, preventing a fair bit of out-of-bounds vulnerabilities: security.googleblog.com/2024/11/retr...
Retrofitting Spatial Safety to hundreds of millions of lines of C++
Posted by Alex Rebert and Max Shavrick, Security Foundations, and Kinuko Yasada, Core Developer Attackers regularly exploit spatial mem...
security.googleblog.com
November 15, 2024 at 7:02 PM
Excited to share our latest blog post on memory safety! We’re tackling spatial safety in our massing C++ codebase by hardening live++ by default. It adds bounds checks to things like std::vector, preventing a fair bit of out-of-bounds vulnerabilities: security.googleblog.com/2024/11/retr...
If you're into web security take a look at my LocoMocoSec keynote slides from this summer about "Google's Recipe for Scaling (Web) Security": speakerdeck.com/lweichselbau...
November 16, 2024 at 10:29 PM
If you're into web security take a look at my LocoMocoSec keynote slides from this summer about "Google's Recipe for Scaling (Web) Security": speakerdeck.com/lweichselbau...
If you haven't deleted your Twitter account yet, please signal boost this post so we can get more folks connected over here:
x.com/we1x/status/...
x.com/we1x/status/...
November 16, 2024 at 9:42 PM
If you haven't deleted your Twitter account yet, please signal boost this post so we can get more folks connected over here:
x.com/we1x/status/...
x.com/we1x/status/...
XSS vulnerabilities keeping you up at night? 😱 Google's new "Commitment to Secure by Design" whitepaper has answers! Safe Coding and web platform improvements are key. Read more (page 7):
static.googleusercontent.com/media/public...
static.googleusercontent.com/media/public...
static.googleusercontent.com
November 16, 2024 at 9:31 PM
XSS vulnerabilities keeping you up at night? 😱 Google's new "Commitment to Secure by Design" whitepaper has answers! Safe Coding and web platform improvements are key. Read more (page 7):
static.googleusercontent.com/media/public...
static.googleusercontent.com/media/public...