Lukas Weichselbaum


Lukas Weichselbaum is a Staff Information Security Engineer at Google with 10+ years of industry experience who frequently speaks at international infosec and developer conferences.

He's passionate about securing Web applications from common Web vulnerabilities and leads the Google-wide CSP adoption effort. Lukas also co-authored the CSP3 W3C specification and is the creator of the CSP Evaluator, a tool for developers and security experts to check if a Content Security Policy serves as a strong mitigation against XSS attacks.

Before joining Google, Lukas worked as a Security Consultant and graduated from Vienna University of Technology in Austria where he researched dynamic analysis of Android malware and founded Andrubis - one of the very first large scale malware analysis platforms for Android applications.



Google, Zürich, Switzerland
since 04/2013
Staff Information Security Engineer

isecLAB TU Vienna, Austria
10/2012 - 12/2012Developed a tool for dynamic automated malware analysis of Android applications

SEC Consult Unternehmensberatung GmbH, Vienna, Austria
11/2012 - 03/2013

Google Inc., Mountain View, USA
07/2012 - 10/2012

SEC Consult Unternehmensberatung GmbH, Vienna, Austria
07/2009 - 06/2012Security audits (internal and external), security training and forensic analysis for national and international customers


Numerous national and international projects in the area of information security

Project manager and consultant for security audits

Android security and malware analysis

Web security, application security, IT-infrastructure security, source code review, secure software development, IT-forensic

Proficient in: Python, Java, JavaScript, Closure


Vienna University of Technology
10/2012 - 06/2015Master: Software Engineering & Internet Computing

Vienna University of Technology
10/2009 - 06/2012
Bachelor: Software and Information Engineering
2x Academic Excellence Scholarship

College of Electronic Data Processing, St. Pölten
09/2003 - 06/2008


Sun Certified Programmer (Java 1.5)

Cisco Certified Network Associate (CCNA)

Cambridge Business English Certificate

Conference Speaker

LocoMocoSec, Kauai, 2019
CSP: A successful mess between hardening and mitigations

Hack In The Box, Amsterdam, 2018
Defense-in-depth techniques for modern web applications [slides]

Area41, Zurich, 2018

ScaleUp Porto Master class, Porto, 2018

Confidence, Krakow, 2018

OWASP New Zealand, Auckland, 2017

Hack In The Box, Amsterdam, 2017

OWASP AppSec, Belfast, 2017
So we broke all CSPs... You won't guess what happened next!

DeepSec, Vienna, 2016

University Guest Lectures, 2016
ETH Zürich Chalmers University Goteborg

IEEE SecDev, Bosten, 2016
Adopting Strict Content Security Policy for XSS Protection

ACM CCS, Vienna, 2016
CSP is Dead, Long Live CSP

OWASP AppSec Europe, Rome, 2016
Making CSP Great Again [slides]

Area41, Zürich, 2016
Breaking Bad CSP [slides]

Hack In The Box, Amsterdam, 2016
CSP Oddities [slides]

ADV Tagung, 4. IT-Sicherheitstagung für Fortgeschrittene, Vienna, 2011

L.S.Z. Security Kongress, Webapplikation- und Mobile-Security, Waidhofen/Ybbs, 2010

16. Symposium SICHERHEIT, Vienna, 2009


CSP is Dead, Long Live CSP: On the Insecurity of Whitelists and the Future of the Content Security Policy
Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, Artur Janc 23rd ACM Conference on Computer and Communications Security (CCS), Vienna, Austria, October 2016
[Article] [Bibtex]

Andrubis - 1,000,000 Apps Later: A View on Current Android Malware Behaviors
Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, Christian Platzer Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), Wroclaw, Poland, September 2014
[Article] [Bibtex]

Andrubis: Android Malware Under The Magnifying Glass
Lukas Weichselbaum, Matthias Neugschwandtner, Martina Lindorfer, Yanick Fratantonio, Victor van der Veen, Christian Platzer Technical Report TR-ISECLAB-0414-001
[Article] [Bibtex]

Master‘s Thesis: Andrubis - Dynamic Behavior Monitoring of Android Malware, Vienna University of Technology, Austria 2015

Diploma Thesis: Penetration Test System / Computer Forensik, College of Electronic Data Processing, St. Pölten, Austria, 2008