SecAppDev 2023 - Web security

In this session, we explore how to leverage the fundamental security model of the web for security. We also explore complex attack patterns, such as CSRF, and how they impact even modern API-based applications.

Key takeaway: Understand how the browser reasons about web security, and how you can leverage this fundamental security model to secure your applications

Learn about new web platform security mechanisms available in web browsers that enable developers to protect their web applications from common and new web attacks.

Key takeaway: Learn how to use new web security features such as CSP3, Trusted Types, Fetch Metadata and COOP to prevent classes of prevalent & emerging web attacks

Discover Policy-as-Code (PaC) for decoupled security across the stack, covering OPA for API gateways, Kyverno for Kubernetes, Tetragon & Tracee for eBPF, and Casbin & Oso for authorization. Learn how to enhance security and compliance with PaC tools.

Key takeaway: Using Open Policy Agent (OPA) for policy management, eBPF for security detection on containerized workloads, and authorization-as-code frameworks for RBAC

In this session, we identify do's and don'ts when building CSP policies for modern applications. We explore how to enable CSP with third-party content and offer a nuanced opinion on building secure CSP policies.

Key takeaway: Modern best practices for building secure CSP policies, along with guidelines for deploying CSP in single page applications

This talk traces Application Security from its '60s origins marked by poor practices to today's advancements. We aim to inspire security professionals by highlighting the accelerated pace of positive changes over time.

Key takeaway: Exploring Application Security's history reveals an encouraging trend: continuous, accelerating improvement over time.