AppSec California 2016

Many common application-level security defects, such as SQL Injection and Cross-Site-Scripting (XSS), have proven difficult to eradicate in large-scale software development projects. 

In our view, the root cause for the prevalence of these classes of vulnerabilities is that underlying APIs and frameworks (such as, SQL query APIs, HTML templating systems, and Web Platform APIs) a-priori permit vulnerable application code to be written, thus placing the onus for avoiding vulnerabilities primarily on the developer. Since developers are human, and the APIs in question are often widely used in large applications, the presence of some number of mistakes and hence vulnerabilities is almost guaranteed. At the same time, it is unlikely that existing bugs in a large system can be exhaustively identified through testing, code review or static analysis.

In this talk, we propose to instead place the burden on API designers: Our goal is to design alternative APIs that are similarly expressive, but are also sufficiently constrained to make it essentially impossible to write vulnerable application code using the API. We describe designs for injection-proof SQL query APIs and XSS-proof HTML rendering APIs, combined with machine-checked coding guidelines ensuring their correct usage. These APIs have been successfully adopted in several flag-ship application development projects at Google, and have resulted in a drastic reduction in the number of bugs observed.