SecAppDev 2023 lecture details
Modern security features for web apps
Learn about new web platform security mechanisms available in web browsers that enable developers to protect their web applications from common and new web attacks.
Wednesday June 14th, 14:00 - 15:30
Room Lemaire
Download handoutsAbstract
Web applications are often exposed to vulnerabilities that enable attackers to compromise the session of authenticated users. These include XSS, CSRF, clickjacking, XS-Leaks and Spectre. However, new security mechanisms implemented in web browsers provide developers with effective tools to safeguard their web applications against prevalent and emerging web attacks. In this talk, we’ll discuss several of these modern web platform security features. You’ll gain an understanding of CSP3, Trusted Types, Fetch Metadata headers and COOP, and how they can mitigate whole categories of security risks.
Key takeaway
Learn how to use new web security features such as CSP3, Trusted Types, Fetch Metadata and COOP to prevent classes of prevalent & emerging web attacks
Content level
Introductory
Target audience
Developers and security specialists interested in securing web applications.
Prerequisites
Basic knowledge of web application development and security concepts.
Lukas Weichselbaum
Senior staff security engineer, Google
Expertise: Web security, web platform security and scaling security via secure defaults in web frameworks and safe by default APIs
Related lectures
Demystifying Zero Trust
Introductory lecture by Bart Preneel in room Lemaire
Wednesday June 14th, 09:00 - 10:30
We discuss the principles of zero trust and explain how it can be implemented. We also discuss how we can build up trust in devices, software and hardware components.
Key takeaway: Understand whether zero trust is useful for your organization or system. Reflect on which products and services you trust and why
OAuth 2.0 and OpenID Connect architectures
Deep-dive lecture by Philippe De Ryck in room West Wing
Monday June 12th, 16:00 - 17:30
In this session, we explore what OAuth 2.0 and OpenID Connect have to offer. We also investigate how to leverage these technologies to build a modern and secure application architecture.
Key takeaway: Understanding the fundamentals of OAuth 2.0 and OpenID Connect, and how to use these building blocks to design modern application architectures
Policy-as-Code: across the tech stack
Deep-dive lecture by Abhay Bhargav in room Lemaire
Tuesday June 13th, 16:00 - 17:30
Discover Policy-as-Code (PaC) for decoupled security across the stack, covering OPA for API gateways, Kyverno for Kubernetes, Tetragon & Tracee for eBPF, and Casbin & Oso for authorization. Learn how to enhance security and compliance with PaC tools.
Key takeaway: Using Open Policy Agent (OPA) for policy management, eBPF for security detection on containerized workloads, and authorization-as-code frameworks for RBAC