I'd imagine the great majority of security work happens in the JS engine, because that's what executes foreign, turing-complete code from every site you visit (natively via JIT, even). So one option would be to simply use V8, and only build the other subsystems from scratch. Performant (and complete) JS interpretation is probably going to be the hardest thing to implement anyway, before you even get to the security concerns.