SecAppDev 2020 Lecture Details

Securing web apps with modern platform features

Lukas Weichselbaum
Thursday March 12, 09:00 - 10:30
Short description

Web applications have historically been plagued by vulnerabilities which allow attackers to compromise the session of a logged-in user. Luckily, new security mechanisms in web browsers offer ways for developers to protect their applications

Abstract

Common vulnerabilities such as XSS, CSRF, and others have long plagued the web. They also account for most of the high-risk flaws reported under Google's Vulnerability Reward Program. Learn about the latest web platform security mechanisms to protect your apps from injections and isolate them from dangerous sites. You'll leave with a security checklist for defending your applications with new browser features based on Google Security Team's experience in protecting the web's most sensitive apps.

Key takeaway

Understand how to defend your web applications with new web platform features.

Content level

Deep-dive

Target audience

Anyone building, designing or securing web applications

Prerequisites

Technical aspects of web applications (HTML, JS, HTTP) and basic understanding of web vulnerabilities.


Lukas Weichselbaum

Lukas Weichselbaum

Staff Information Security Engineer, Google

Lukas is a staff information security engineer at Google with 10+ years of industry experience who frequently speaks at international infosec and developer conferences. He's passionate about securing web applications from common web vulnerabilities and leads the Google-wide Content Security Policy (CSP) adoption effort. Lukas also co-authored the CSP3 W3C specification and is the creator of the CSP Evaluator.

Full speaker profile


Related web security sessions

Building secure frontend web applications

One-day workshop by Jim Manico

Cross-Site Scripting (XSS) is the achilles heel of almost every web application. Even in the modern world, where applications are built with JavaScript frameworks, XSS requires attention to details. To build secure applications, developers need to be aware of current best practices for their particular framework. This one-day workshop offers an in-depth perspective on XSS in the modern web. We look at XSS defenses from various angles, including the elaborate Content Security Policy.

Web security Tuesday March 10, 09:00 - 17:30

A builder's guide to API security

One-day workshop by Philippe De Ryck

Most modern applications consist of a frontend web or mobile application, backed by several API-based services. This paradigm shift from server-side page generation causes a significant impact on various security aspects. To build secure applications, developers need to be aware of these security changes, along with current best practices. This one-day workshop offers a unique in-depth perspective on modern API security.

Web security Wednesday March 11, 09:00 - 17:30

The ultimate guide to Content Security Policy

Lecture by Lukas Weichselbaum

Even with hardened frameworks and thorough security reviews, there's no guarantee that an application is free of XSS. In this session, I'll present different flavors of CSP, which can serve as a robust defense-in-depth mechanism against XSS.

Web security Wednesday March 11, 14:00 - 15:30

The security model of the web

Lecture by Philippe De Ryck

The web still depends on the same security model as it did 20 years ago. Even if somewhat flawed, that security model is essential for building secure applications.

Web security Monday March 9, 16:00 - 17:30

Blueprint for secure JavaScript development

Lecture by Marcin Hoppe

The Web runs on JavaScript. This session introduces patterns, tools, and processes for building secure applications in this important but often misunderstood and abused programming language.

Web security Thursday March 12, 11:00 - 12:30