Lukas Weichselbaum

Welcome

I'm a senior staff tech lead and manager at Google's Information Security Engineering team with over 10 years of industry experience and love speaking at infosec and developer conferences.

At Google I lead 10+ folks to secure hundreds of web applications from entire classes of web vulnerabilities by deploying web platform security features like CSP, Fetch Metadata, Trusted Types, COOP, etc. at scale. I'm also part of the W3C Web Application Security Working Group contributing to W3C specifications like CSP3 and created the CSP Evaluator, a tool for developers and security experts to check if a Content Security Policy serves as a strong mitigation against XSS attacks.

Before joining Google, I worked as a Security Consultant and graduated from Vienna University of Technology in Austria where I researched dynamic analysis of Android malware and founded Andrubis - one of the very first large scale malware analysis platforms for Android applications.

Experience

Work

Google, Zürich, Switzerland
since 04/2013
Staff Information Security Engineer


isecLAB TU Vienna, Austria
10/2012 - 12/2012Developed a tool for dynamic automated malware analysis of Android applications


SEC Consult Unternehmensberatung GmbH, Vienna, Austria
11/2012 - 03/2013


Google Inc., Mountain View, USA
07/2012 - 10/2012


SEC Consult Unternehmensberatung GmbH, Vienna, Austria
07/2009 - 06/2012Security audits (internal and external), security training and forensic analysis for national and international customers

Skills

Experienced tech lead and manager.

Frequent speaker at international infosec and developer conferences.

Web application security, web platform security, W3C spec contributions.

Large scale deployment of security and code hardening features (Google scale).

Software engineering (mostly Java/JavaScript these days) and project management.

Code audits, security reviews, pentests, vendor security reviews and numerous national and international projects in the area of information security.

Security and privacy research.


Education

Vienna University of Technology
10/2012 - 06/2015Master: Software Engineering & Internet Computing


Vienna University of Technology
10/2009 - 06/2012
Bachelor: Software and Information Engineering
2x Academic Excellence Scholarship


College of Electronic Data Processing, St. Pölten
09/2003 - 06/2008
Honours

Certificates

Sun Certified Programmer (Java 1.5)

Cisco Certified Network Associate (CCNA)

Cambridge Business English Certificate

Conference Speaker

sec4dev, Vienna, 2022
Securing Web Applications with Modern Web Platform Security Features [slides]

University Guest Lectures, 2021
KTH Royal Institute of Technology, Stockholm, Sweden

COVID break in 2020/2021

G o o g l e I/O, Mountain View, 2019
Securing Web Apps with Modern Platform Features [slides]

LocoMocoSec, Kauai, 2019
CSP: A successful mess between hardening and mitigations [slides]

PyConWeb [Keynote], Munich, 2019

OWASP AppSec, Tel Aviv, 2019

IT-SECX, St. Pölten, 2019

University Guest Lectures, 2019
Advanced InetSec, Vienna University of Technology

Hack In The Box, Amsterdam, 2018
Defense-in-depth techniques for modern web applications [slides]

Area41, Zurich, 2018

ScaleUp Porto Master class, Porto, 2018

Confidence, Krakow, 2018

OWASP New Zealand, Auckland, 2017

Hack In The Box, Amsterdam, 2017

OWASP AppSec, Belfast, 2017
So we broke all CSPs... You won't guess what happened next!

DeepSec, Vienna, 2016

University Guest Lectures, 2016
ETH Zürich Chalmers University Goteborg

IEEE SecDev, Bosten, 2016
Adopting Strict Content Security Policy for XSS Protection

ACM CCS, Vienna, 2016
CSP is Dead, Long Live CSP

OWASP AppSec Europe, Rome, 2016
Making CSP Great Again [slides]

Area41, Zürich, 2016
Breaking Bad CSP [slides]

Hack In The Box, Amsterdam, 2016
CSP Oddities [slides]

ADV Tagung, 4. IT-Sicherheitstagung für Fortgeschrittene, Vienna, 2011

L.S.Z. Security Kongress, Webapplikation- und Mobile-Security, Waidhofen/Ybbs, 2010

16. Symposium SICHERHEIT, Vienna, 2009


Publications

Information Leaks via Safari's Intelligent Tracking Prevention[Article] [Bibtex]
Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, Roberto Clapis Google Research (arXiv:2001.07421), Zürich, Switzerland, January 2020

Abstract:
Intelligent Tracking Prevention (ITP) is a privacy mechanism implemented by Apple’s Safari browser, released in October 2017. ITP aims to reduce the cross-site tracking of web users by limiting the capabilities of cookies and other website data.

As part of a routine security review, the Information Security Engineering team at Google has identified multiple security and privacy issues in Safari’s ITP design. These issues have a number of unexpected consequences, including the disclosure of the user’s web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks (including cross-site search).

CSP is Dead, Long Live CSP: On the Insecurity of Whitelists and the Future of the Content Security Policy[Article] [Bibtex]
Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, Artur Janc 23rd ACM Conference on Computer and Communications Security (CCS), Vienna, Austria, October 2016

Abstract:
Content Security Policy is a web platform mechanism designed to mitigate cross-site scripting (XSS), the top security vulnerability in modern web applications. In this paper, we take a closer look at the practical benefits of adopting CSP and identify significant flaws in real-world deployments that result in bypasses in 94.72% of all distinct policies. We base our Internet-wide analysis on a search engine corpus of approximately 100 billion pages from over 1 billion hostnames; the result covers CSP deployments on 1,680,867 hosts with 26,011 unique CSP policies – the most comprehensive study to date. We introduce the security-relevant aspects of the CSP specification and provide an in-depth analysis of its threat model, focusing on XSS protections. We identify three common classes of CSP bypasses and explain how they subvert the security of a policy.

We then turn to a quantitative analysis of policies deployed on the Internet in order to understand their security benefits. We observe that 14 out of the 15 domains most commonly whitelisted for loading scripts contain unsafe endpoints; as a consequence, 75.81% of distinct policies use script whitelists that allow attackers to bypass CSP. In total, we find that 94.68% of policies that attempt to limit script execution are ineffective, and that 99.34% of hosts with CSP use policies that offer no benefit against XSS.

Finally, we propose the ’strict-dynamic’ keyword, an addition to the specification that facilitates the creation of policies based on cryptographic nonces, without relying on domain whitelists. We discuss our experience deploying such a nonce-based policy in a complex application and provide guidance to web authors for improving their policies.

Andrubis - 1,000,000 Apps Later: A View on Current Android Malware Behaviors[Article] [Bibtex]
Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, Christian Platzer Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), Wroclaw, Poland, September 2014


Andrubis: Android Malware Under The Magnifying Glass[Article] [Bibtex]
Lukas Weichselbaum, Matthias Neugschwandtner, Martina Lindorfer, Yanick Fratantonio, Victor van der Veen, Christian Platzer Technical Report TR-ISECLAB-0414-001

Master‘s Thesis: Andrubis - Dynamic Behavior Monitoring of Android Malware, Vienna University of Technology, Austria 2015

Diploma Thesis: Penetration Test System / Computer Forensik, College of Electronic Data Processing, St. Pölten, Austria, 2008

Open Source Projects

CSP Evaluator[GitHub] [Website] (~5000 montly active users)
September 2016 – Present
The CSP Evaluator allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks. It assists with the process of reviewing CSP policies, which is usually a manual task, and helps identify subtle CSP bypasses which undermine the value of a policy. CSP Evaluator checks are based on a large-scale study and are aimed to help developers to harden their CSP and improve the security of their applications.


VSAQ: Vendor Security Assessment Questionnaire[GitHub] [Blogpost] [Website]
March 2016
VSAQ is an interactive questionnaire application. Its initial purpose was to support security reviews by facilitating not only the collection of information, but also the redisplay of collected data in templated form.

At Google, questionnaires like the ones in this repository are used to assess the security programs of third parties. But the templates provided can be used for a variety of purposes, including doing a self-assessment of your own security program, or simply becoming familiar with issues affecting the security of web applications.