Important notice about SecAppDev 2020

Due to the current situation with COVID-19 (Corona), with deep regret, we feel bound to postpone SecAppDev 2020 indefinitely. While there have been no official instructions to postpone events such as ours or reduce travel, both attendees and speakers have informed us that they are unable to attend SecAppDev.

We hope everyone in SecAppDev stays healthy, and wish everyone the best for the coming months.

SecAppDev 2020 Lecture Details

Blueprint for secure JavaScript development

Marcin Hoppe
Thursday March 12, 11:00 - 12:30
Short description

The Web runs on JavaScript. This session introduces patterns, tools, and processes for building secure applications in this important but often misunderstood and abused programming language.


JavaScript is one of the most popular programming languages and an essential tool for building Web applications and APIs. Many developers and application security engineers do not know how to approach secure JavaScript development.

This session seeks to close this gap by looking at vulnerabilities unique to JavaScript and showcasing patterns that prevent them. The talk will demonstrate leveraging unique JavaScript capabilities and open source tools to aid security testing (SAST, IAST, DAST). We will also take a look at supply chain threats that are prevalent in the JavaScript ecosystem.

Key takeaway

The right approach to JavaScript application development helps prevent vulnerabilities, both in the browser and on the backend.

Content level


Target audience

Anyone interested in building and securing JavaScript applications.


Basic familiarity with JavaScript programming and Web application development will be helpful but is not required.

SecAppDev is the most immersive application security course you have ever seen

Book your seat now

Marcin Hoppe

Marcin Hoppe

Senior Manager, Product Security, Auth0

Marcin Hoppe leads the Product Security team at Auth0, an identity platform for application builders. He is passionate about building secure applications using JavaScript and promoting security best practices and responsible disclosure in this ecosystem. Marcin is also a member of the Node.js Ecosystem Security Working Group under the OpenJS Foundation where his work is focused on running the bug bounty program for third-party Node.js packages.

Full speaker profile

Related web security sessions

Building secure frontend web applications

One-day workshop by Jim Manico

Cross-Site Scripting (XSS) is the achilles heel of almost every web application. Even in the modern world, where applications are built with JavaScript frameworks, XSS requires attention to details. To build secure applications, developers need to be aware of current best practices for their particular framework. This one-day workshop offers an in-depth perspective on XSS in the modern web. We look at XSS defenses from various angles, including the elaborate Content Security Policy.

Web security Tuesday March 10, 09:00 - 17:30

A builder's guide to API security

One-day workshop by Philippe De Ryck

Most modern applications consist of a frontend web or mobile application, backed by several API-based services. This paradigm shift from server-side page generation causes a significant impact on various security aspects. To build secure applications, developers need to be aware of these security changes, along with current best practices. This one-day workshop offers a unique in-depth perspective on modern API security.

Web security Wednesday March 11, 09:00 - 17:30

Securing web apps with modern platform features

Lecture by Lukas Weichselbaum

Web applications have historically been plagued by vulnerabilities which allow attackers to compromise the session of a logged-in user. Luckily, new security mechanisms in web browsers offer ways for developers to protect their applications

Web security Thursday March 12, 09:00 - 10:30

The ultimate guide to Content Security Policy

Lecture by Lukas Weichselbaum

Even with hardened frameworks and thorough security reviews, there's no guarantee that an application is free of XSS. In this session, I'll present different flavors of CSP, which can serve as a robust defense-in-depth mechanism against XSS.

Web security Wednesday March 11, 14:00 - 15:30

The security model of the web

Lecture by Philippe De Ryck

The web still depends on the same security model as it did 20 years ago. Even if somewhat flawed, that security model is essential for building secure applications.

Web security Monday March 9, 16:00 - 17:30