Michele Spagnuolo (Google), David Dworken (Google), Artur Janc (Google), Santiago Díaz (Google), Lukas Weichselbaum (Google)

The area of security measurability is gaining increased attention, with a wide range of organizations calling for the development of scalable approaches for assessing the security of software systems and infrastructure. In this paper, we present our experience developing Security Signals, a comprehensive system providing security measurability for web services, deployed in a complex application ecosystem of thousands of web services handling traffic from billions of users. The system collects security-relevant information from production HTTP traffic at the reverse proxy layer, utilizing novel concepts such as synthetic signals augmented with additional risk information to provide a holistic view of the security posture of individual services and the broader application ecosystem. This approach to measurability has enabled large-scale security improvements to our services, including prioritized rollouts of security enhancements and the implementation of automated regression monitoring. Furthermore, it has proven valuable for security research and prioritization of defensive work. Security Signals addresses shortcomings of prior web measurability proposals by tracking a comprehensive set of security properties relevant to web applications, and by extracting insights from collected data for use by both security experts and non-experts. We believe the lessons learned from the implementation and use of Security Signals offer valuable insights for practitioners responsible for web service security, potentially inspiring new approaches to web security measurability.

View More Papers

Passive Inference Attacks on Split Learning via Adversarial Regularization

Xiaochen Zhu (National University of Singapore & Massachusetts Institute of Technology), Xinjian Luo (National University of Singapore & Mohamed bin Zayed University of Artificial Intelligence), Yuncheng Wu (Renmin University of China), Yangfan Jiang (National University of Singapore), Xiaokui Xiao (National University of Singapore), Beng Chin Ooi (National University of Singapore)

Read More

Tag of the Dead: How Terminated SaaS Tags Become...

Takahito Sakamoto, Takuya Murozono (DataSign Inc)

Read More

CROW: Code Diversification for WebAssembly

Javier Cabrera Arteaga, Orestis Floros, Benoit Baudry, Martin Monperrus (KTH Royal Institute of Technology), Oscar Vera Perez (Univ Rennes, Inria, CNRS, IRISA)

Read More

SKILLPoV: Towards Accessible and Effective Privacy Notice for Amazon...

Jingwen Yan (Clemson University), Song Liao (Texas Tech University), Mohammed Aldeen (Clemson University), Luyi Xing (Indiana University Bloomington), Danfeng (Daphne) Yao (Virginia Tech), Long Cheng (Clemson University)

Read More