Krzysztof Kotowicz at RuhrSec

Google’s Web Security Researcher Krzysztof Kotowicz: Insecure Coding Is the Default

We talked with Krzysztof Kotowicz, a hacker, pentester, and a web security researcher from the Information Security Engineering team at Google

Krzysztof Kotowicz, a seasoned pentester and security specialist, shares his immense passion for finding faults in coding, relates a story of how he got featured at the Google’s Security Hall of Fame and then ended up at the most exciting team at Google. In this interview, he also talks about the current state of web security, recent developments in privacy-focused APIs, and predicts the future of pentesting. Krzysztof is coming to Amsterdam to give a talk at JSNation Conference, June 6–8, 2019.

Hello Krzysztof, and welcome to the interview with JS Nation! What brought you to tech, and then security and pentesting?

I knew I wanted to be a programmer since I was a kid. It all started when my father bought an Atari 800 XL, hooked it up to our TV set and taught me BASIC. Pretty soon I started writing little games, animations, even a paintbrush-like tool you controlled with a joystick. Later on, I began writing business applications for the desktop & the web and noticed it’s pretty easy to code insecurely — in fact, that’s the default. If you learn a new language and follow the regular tutorials, books, and articles, you’ll end up with insecure code. That seemed wrong, and it got me into security. I found a local OWASP (Open Web Application Security Project) chapter and started attending the meetings, presenting there and eventually got a job as a pentester.

What did you do before your involvement with Google?

I did a fair share of web development in PHP, both freelancing and as a day job. When I picked an interest in web security, I did all sorts of things — pentesting, security consulting, running security trainings, research, and writing security tools.

What did you do to get featured at Google’s Security Hall of Fame and how did you get into Google?

It was only one bug reported to Google VRP that got me featured, it wasn’t even a particularly cool one :) After a couple of years, at a conference, sirdarckcat@ from the Google Security Team reached out to me, and that’s how my Google adventure has started. Eduardo is now my manager and we hack all the things together ;)

What advice can you give anyone who wants to work for big corporations like Google (or Facebook, Apple, etc.)?

I don’t think there is a secret sauce to getting employed by a corporation. Work the basics, be passionate about what you do. Find your niche and try to develop an expertise in it. I would advise you not to focus on the goal of getting employed by X or Y. Focus instead on doing what you’re excited about and what makes you happy, the logo on your business card is really not that important, especially in tech.

What open source projects are you currently involved in?

Not too many nowadays, unfortunately. I send patches to random projects once in a while when I stumble upon a bug, but I’m not committing anything regularly. My work nowadays centers around the Trusted Types API we’re building into the browsers, as part of it I maintain the polyfill repository (https://github.com/WICG/trusted-types).

You’ve been a public speaker at international IT and security conferences since as early as 2011. What was your last talk about?

I did all sorts of web security talks over the years, mostly talking about offensive security techniques. I’m most proud of the talks describing the results of the script gadgets research (https://github.com/google/security-research-pocs/tree/master/script-gadgets) we did with my friends from Google and SAP. My last talk was about Trusted Types and the ways it can help kill DOM XSS, an entire vulnerability class.

What makes your work as a security specialist and pentester exciting?

It changes over the years — for example, the offensive security research used to be “my thing,” but now I’m most excited about the defensive side, especially ways to make writing secure code easy. It’s troubling that so many vulnerabilities could be avoided if only the APIs available to developers were better — and I’m set to change this as much as I can.

How did you help the Google team achieve a high level of safety against Cross-Site Scripting (XSS)?

XSS prevention at Google works exactly like this: we created libraries and APIs that make introducing XSS vulnerabilities nearly impossible. At the same time, we blocked access to the standard, XSS-prone ways of coding. We feel only this approach can work at scale — give the developers the right tooling, make it useful such that you don’t slow them down and watch the magic happen. Based on this experience we’re making these APIs available for all web developers — check out Trusted Types.

What future do you predict for a web security profession?

It’s an interesting time for web security. It feels like we have most of the long-standing problems mapped out, with proposed solutions for them — it just turns out some of the solutions require a bit more work than initially anticipated. Interestingly enough, some of the toolings will be provided by the web platform itself, with minimal-to-medium involvement required from the web applications.

For example, we can fix CSRF and some other cross-origin vulnerabilities with Fetch Metadata and Cross-Origin Opener Policy, Trusted Types address DOM XSS, and clickjacking can be fixed with Intersection Observer v2. At the same time, we see new threats, out of which XS-Leaks family of attacks seems to be the one that will occupy us for at least a couple of years. Recent developments in privacy-focused APIs is also interesting, as some of them introduce sets of non-trivial security tradeoffs.

Your last blog post is dated 2016, why did you stop blogging?

I rarely find enough time to write a lengthy blog post, so instead, I turned to Twitter, where I exercise to distill my thoughts into <280 character long snippets. It’s challenging, imprecise, and messy — but at least it allows to keep me actively engaged with other folks in the web security circles. Twitter is where the discussions in my field happen.

What do you do in your free time?

I used to dance a lot, first ballroom, and then blues and swing dances. Nowadays, I turned to much more mainstream hobbies, the most exciting ones being boardgames and reading books, especially older, classic S-F novels.

Are you excited about the upcoming JSNation conference in Amsterdam this year?

Of course — I am uncomfortably excited about it! This will actually be a first non-security focused conference I’ll speak at, so it’s all new grounds for me. I intend to demonstrate the approach we use in Google to ascertain that tens of thousands of frontend developers write XSS-free web applications virtually unobstructed, and allow the relatively small security team to effectively review only the small security-sensitive areas of their projects.

I’ll demonstrate Trusted Types — a browser API we’re working on that is a practical extension of this approach — and show how it can be used in your codebase and processes to effectively eliminate the risk of DOM XSS, the most common security vulnerability we observe in modern web applications.