Modern-day software systems are increasingly multilingual, i.e., they often mix multiple programming languages and runtimes. For instance, in web browsers such as Google Chrome, JavaScript code runs through engines like V8 and interacts with components written in C++. While this flexibility promotes reusability and speeds up the development, it also brings new security challenges. When data moves between different programming languages, traditional (single-language) security tools often lose visibility over how data propagates across language boundaries. 

In this talk, I will share recent advancements in the security analysis of multilingual software systems. The talk will focus on the analysis of applications that process sensitive data flows across language boundaries. I will show how dynamic analysis guided by static analysis uncovers privacy leaks and hidden security flaws that evade conventional analysis tools. Finally, I will present our research on proactively and automatically repairing vulnerabilities in software systems. The idea is to help the industry move from reactive patching toward proactive software security.