Google operates one of the world's most complex web application ecosystems. In this keynote, learn how we've scaled our security approach to protect both new and legacy code. Explore our "safe coding" philosophy, the mindset shifts, cutting-edge data tools, and automation that make it all work at an unprecedented scale. Key Takeaways: - Secure by Default, Not by Chance: Explore the "safe coding" philosophy and how we bake security directly into development platforms. - The Legacy Code Challenge: Gain insights on how to tackle the modernization of older codebases, a critical step often overlooked in scaling security efforts. - Data as Your Compass: Understand the role of tools and data—both broad analytics and precise telemetry—in guiding safe, large-scale rollouts. - Beyond Code: Learn why trying to make everyone a security expert isn't the answer. The same way Java developers don't have to deal with memory corruption bugs, web developers should not have to worry about XSS, XSRF, and other common web vulnerabilities. - Holistic Security: Discover why scaling security requires addressing not only new code, but also existing applications, regressions, and even flaws in the web platform itself. Whether you work at a startup or a large enterprise, this talk offers practical recipes and strategies to scale your web security efforts effectively. This keynote will be augmented by two deep dive sessions on: - Third-party cookie deprecation: Fixing some of the “original security sins” of the web platform through third-party cookie blocking and related changes. - Securing Web Applications at Scale: A recipe for mitigating XSS vulnerabilities at scale using strict Content Security Policy and Trusted Types