SecAppDev 2020 Workshop Details

Building secure frontend web applications

Jim Manico
Tuesday March 10, 09:00 - 17:30
Abstract

Cross-Site Scripting (XSS) is the achilles heel of almost every web application. Even in the modern world, where applications are built with JavaScript frameworks, XSS requires attention to details. To build secure applications, developers need to be aware of current best practices for their particular framework. This one-day workshop offers an in-depth perspective on XSS in the modern web. We look at XSS defenses from various angles, including the elaborate Content Security Policy.

Topics
  • XSS attacks and defenses
  • Content Security Policy
  • Overview of Angular and AngularJS Security
  • Overview of React Security
  • Overview of Vue.js Security
  • Competitive secure coding labs
Learning goal

Best practices for preventing dangerous frontend XSS vulnerabilities

Content level

Introductory

Target audience

Anyone who is building or designing HTML-based applications, including server-side frameworks and modern frontend JavaScript frameworks.

Prerequisites

Experience with developing frontend web applications.

Technical requirements

A laptop with a modern browser (e.g., Chrome, Firefox) installed.


Jim Manico

Jim Manico

CEO, Manicode Security

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences, and BitDiscovery. Jim is a frequent speaker on secure software practices, is a Java Champion, and is the author of "Iron-Clad Java - Building Secure Web Applications" from Oracle Press. Jim also volunteers for OWASP as the project co-lead for the OWASP ASVS and the OWASP Proactive Controls.

Full speaker profile


Related web security sessions

A builder's guide to API security

One-day workshop by Philippe De Ryck

Most modern applications consist of a frontend web or mobile application, backed by several API-based services. This paradigm shift from server-side page generation causes a significant impact on various security aspects. To build secure applications, developers need to be aware of these security changes, along with current best practices. This one-day workshop offers a unique in-depth perspective on modern API security.

Web security Wednesday March 11, 09:00 - 17:30

Securing web apps with modern platform features

Lecture by Lukas Weichselbaum

Web applications have historically been plagued by vulnerabilities which allow attackers to compromise the session of a logged-in user. Luckily, new security mechanisms in web browsers offer ways for developers to protect their applications

Web security Schedule TBD

The ultimate guide to Content Security Policy

Lecture by Lukas Weichselbaum

Even with hardened frameworks and thorough security reviews, there's no guarantee that an application is free of XSS. In this session, I'll present different flavors of CSP, which can serve as a robust defense-in-depth mechanism against XSS.

Web security Schedule TBD

The security model of the web

Lecture by Philippe De Ryck

The web still depends on the same security model as it did 20 years ago. Even if somewhat flawed, that security model is essential for building secure applications.

Web security Schedule TBD

Making smart choices from the authentication cookbook

Lecture by Philippe De Ryck

Modern applications need to authenticate users and services in various scenarios. This session focuses on helping architects and developers understand the different authentication mechanisms and their purpose.

Web security Schedule TBD

Blueprint for secure JavaScript development

Lecture by Marcin Hoppe

The Web runs on JavaScript. This session introduces patterns, tools, and processes for building secure applications in this important but often misunderstood and abused programming language.

Web security Schedule TBD