Security Expert Jarrod Overson: The OSS JS Ecosystem Is Dependent on Unearned Trust

We talked to Jarrod Overson, a developer, public speaker, web security specialist, author, and the Director of Engineering at Shape Security

Jarrod Overson has been in web development for nearly 20 years, from which the last 5 years he has spent working on and researching web security and privacy. In this interview with JSNation, he talks about his experience, his area of expertise, favorite technology stack, gives advice for users on protecting their privacy online and opines on the future of web security in general. Jarrod is coming to Amsterdam to give a talk at JSNation Conference, June 6–8, 2019.

Hello Jarrod, and welcome to the interview with the JSNation. Please, introduce yourself.

I’m Jarrod Overson, I’ve been in web development for nearly 20 years and, for the past 5, have been focusing that experience in security at Shape Security. I’ve been programming since I was 11 making games on my graphing calculator (TI-85 woot!) and I grew up hacking games like Starcraft and Fallout. The web was always a draw to me and I ended up foregoing school because the CS courses at the time didn’t focus much on the web technologies I wanted to work with. Luckily the web grew to where it is today and I can look back fondly on these choices 😄.

What did you do before becoming the Director of Engineering at Shape Security? What’s your area of expertise?

Right before Shape, I worked at Riot Games, a video game company in Santa Monica. I had always envisioned loving working with video games but I found myself wishing to be back at a smaller company and jumped when Shape reached out. Prior to that, I worked at a handful of startups and Napster, waaay back in the day. I’ve worked on everything from large scale CMS backends, frontend, graphic UI work, webgl/canvas graphics, parsing, static analysis, and other weird stuff. My area of expertise is just figuring stuff out. It started with hacking games when I was a teen and it has led me to counter-hacking attackers as a job.

What does it take to become a Google Dev Expert? What advice can you give aspiring programmers who’d like to join the experts’ program?

The willingness to put yourself out there with educational materials and speaking opportunities combined with the desire to never stop learning. It was actually less involved than I expected because I had been writing and speaking for so long but I think that’s the best advice there is. Don’t strive for a role in a company or a title like GDE, imagine you are already in that role and act how you think you should act. The recognition comes after you’ve already earned it.

Why did you decide to focus on web security and identity protection?

That was a random chance from Ariya Hidayat, the former VP of Shape (and creator of PhantomJS and Esprima). I never decided to focus on it, I was convinced that I should give it a shot and now I’ve been so deep in it that I guess it just happened gradually.

The web is at a tipping point right now. A new browser war is heating up with a focus on privacy and fingerprinting, data breaches are happening near-daily, and the entire open source JavaScript ecosystem is dependent on mutual trust that wasn’t earned. Our policies, specs, and technology has some parts that aren’t scaling well and it’ll be interesting to see what comes of it.

Can you share any tips for users who’d like to protect their identities online? Is this even possible?

Ooof. Freeze your credit. Freeze your children’s credit. Use unique passwords everywhere (for real). Use a password manager. Use 2FA when available. Set up Google alerts on yourself and your family, including all the nicknames you’ve used. Regularly search yourself and try and cut off the content you don’t want out there before it stays there for too long. There’s so much.

What are the most challenging issues you’re dealing with right now in web security? Where is web security heading?

Malicious website automation. That’s an obvious answer because that’s my job but it’s a problem I see getting much, much worse soon. Web tech has stagnated in countering this threat and browsers have made an attacker’s job *easier* with recent decisions. We’re heading towards a future where attackers will perfectly mimic user behavior and it will be difficult to differentiate what is legitimate and what is fraudulent.

On your website you’re referring to “esoteric web technologies.” What do you mean by that?

I excel in the outskirts of the web where no one is making divs fade in and out or creating infinite scrolling lists. Weird WebGL stuff like outsourcing execution to shaders, creating JavaScript partial interpreters, static analysis, and how to hack web applications in creative ways. One of the recent things I’ve been playing with is hooking into Chrome from VSCode so you can intercept, analyze, and rewrite content on the fly. Specifically, this is to manipulate web applications and find out how they are exploitable but it’s also just fun.

The first thing I built when deciding whether or not to go 100% into JavaScript was a particle system to determine performance and capability. I’m still a little giddy that I’m the first result in google for “javascript particle system”. It still runs and ran well in IE 8 (I think) at the time!

What’s your favorite technology stack and why?

Vanilla TypeScript + Parcel + Google Cloud/Firebase. These things are proving to be extremely useful for the things I am doing. I’m not making huge web apps anymore so haven’t invested in many frontend frameworks.

Can you briefly describe your public speaking experience?

I started speaking about 8 years ago at San Diego JavaScript. It was such a great experience that I started proposing talks all over. I was surprised at how much I learned about myself at the time and have continued to learn. My favorite talk that I ever gave was about how JavaScript frontend would be vastly improved by learning from video game development with better state management and render loops. I gave it for the last time at ViewSourceConf years ago and now it’s reassuring to see React and the like essentially doing just that.

So far, you’ve written one book on Developing Web Components, do you have any other books in the works?

No! Every time I think about it I need to remind myself what a monster that was. Trying to write a book on an early, fluctuating specification that browsers were fighting over was an exhausting experience. Refactoring entire sections of a book are not fun. There’s no IDE that helps there.

Do you have any hobbies?

I like making and breaking stuff. I’ve got 3 kids now so I am trying to build stuff wherever I can to show them how the world is moldable in any way they like. Robots, indoor swings, hammocks from scratch, modifying the house in order to make it more fun, things like that. Outside of that I still like to think I’ll make a game some time. I’ve got one in the works that I’m further along with than ever before so maybe that’ll be a reality this time.

Are you excited about the upcoming JSNation conference? What are you going to talk about?

Absolutely! I’ve never been to Amsterdam and this conference looks amazing. I’ll be speaking on the event-stream exploit that happened in November 2018. I was one of the people that first wrote about it and dove into each payload as the community was uncovering it. It’s a fantastic case-study in social engineering, exploitation, and risk. Thank you so much for having me!

The interview was prepared with the assistance of Marina Vorontsova, a copywriter from Soshace.com. Soshace is a hiring platform for web developers: hire a developer or apply for a remote job.