Photo by Bernard Hermant on Unsplash

If you like computer security puzzles and JavaScript, you’ll like this short video series.

It builds on work I and others in Google’s Security Engineering group have done to identify and counter the kinds of common mistakes that lead to vulnerabilities.

After the puzzles I draw on experiences managing security within a large engineering organization that builds static systems and propose language tweaks that would enable similar outcomes for dynamic systems.

In case you’re interested in how the puzzles tie into the larger point I’m trying to make:

“A very simple piece of code” shows a subtle security problem. I use that to discuss the role code review plays in security. Later in the series I discuss ways to enable effective, targeted review even in highly dynamic, rapidly evolving systems. “Bags of properties” shows another subtle problem. Code needs to mix data from different sources, but how do we allow mixing safely? “A string by any other name” considers XSS and the larger problem — a string of HTML is “just a string” until it is parsed as code. How do we manage security when it depends on strings that aren’t just strings? “Kernelizing” talks about how to maintain important security properties despite bugs in application code, and proposes two specific language changes to this end. “Solutions” applies the proposed mechanisms to the puzzle code.

The videos are all available on Youtube.

Happy hunting!