SecAppDev 2025 - Application Security

Large Language Models (LLMs) open up a new realm of possibilities in application development, but they also pose significant challenges. Their non-deterministic nature and broad use cases complicate testing, while unpredictable failures (“hallucinations”) and novel attack vectors (“prompt injections”) add risk.

This workshop covers LLM-based applications, highlights unique threats, and offers hands-on testing and hardening techniques. Attendees will learn to set up and secure basic LLM-driven solutions in their organizations.

Learning goal: Learn how LLM applications work and are architected, the unique security challenges they introduce, and the current best practices in LLM security—along with their limitations.

The interesting, important, and hard to find bugs are not generic. They often stem from unique business logic, so they require familiarity with the product.

Instead of getting frustrated with generic scans that barely find obvious problems and flood you with false positives, you can run custom checks that find what you care about. In this course, you'll learn how to take your internal knowledge and write custom, tailored scans that will work for you, across the whole codebase.
You’ll leave the course with clear understanding how to customize automated security tests for your code efficiently.

Learning goal: Learn how to find subtle, non-generic bugs in your code, make the most of open-source scanners, and set up smart security guardrails—all with practical techniques that fit into real-world development workflows.

Modern web applications rely heavily on frontend code, making browser security mechanisms crucial for protecting users and data. This hands-on workshop takes a deep dive into advanced frontend security for Angular / React / Vue applications.

Participants will explore real-world attack scenarios and implement defenses through guided exercises. Designed for developers and security professionals, this workshop blends academic depth with practical application, equipping attendees with the skills to secure modern frontends effectively.

Learning goal: Understand and apply state-of-the-art security mechanisms to protect modern frontends from real-world threats.

This hands-on workshop teaches developers the principles of secure coding, focusing on real-world attack scenarios and defense strategies. Participants will learn to identify and mitigate vulnerabilities such as injection flaws, XSS, authentication weaknesses, and insecure dependencies. Using AI code generators and security tools, attendees will strengthen their ability to write robust, secure applications.

Ideal for developers looking to enhance their security mindset and build software that withstands modern threats.

Learning goal: Attendees will learn to build secure APIs by preventing injection attacks, managing third-party risks, OAuth2 basics, securing React integrations, and handling file uploads safely. They will also explore AI-assisted code generation.

Lack of authority, an outsider's view of the development process and a faulty language of risk. Are security practitioners fated to point at risk and not be heard?

Key takeaway: "Raw" security can be fun, but does not lead to change. We must adapt our ways in order to impact the environment we want to protect.

In this session, we will overview the general security landscape of AI technologies, including foundational machine learning, deep learning, and large language models.

Key takeaway: Integrating AI inevitably increases the threat landscape of a system. Understanding how AI can be exploited is key to developing effective mitigations

Discover how bug bounty programs outperforms traditional AppSec tools by uncovering more vulnerabilities at lower cost. We share real-world examples, strategies, and challenging takes on conventional security practices.

Key takeaway: Bug bounty programs are essential and should be the key ingredient in modern AppSec programs.

Threat modeling by yourself is great - noone is there to tell you you're wrong. But if you want to discover nontrivial issues, the ones you'd not have on your checklist, you'll need to engage with others. But too often we chase them away.

Key takeaway: Threat modeling is not JUST a technical activity, and should intentionally leverage social techniques to maximize stakeholders participation.

Continuous Threat Modeling for Developers. They're creating the problems, let them create the solution! No, really - enable them to see the security value of the stories they work on, what could go wrong, and what to do about them.

Key takeaway: Threat Modeling should not be a one-shot-and-done activity by security experts. It needs to be continuous, at the developer level.

We rely on 3rd party libraries which results in security risks. OpenSSF’s Scorecard helps assess package security. This session explores its checks and additional insights to strengthen supply-chain security.

Key takeaway: Understanding how to leverage the OpenSSF Scorecard to review used 3rd party libraries more easily.

Learn how to secure your CI/CD pipeline without slowing down. We cover risks, best practices, essential tools, real-world attacks, and how to justify your security investments.

Key takeaway: Secure CI/CD is achievable without sacrificing speed: start with key tools, embed best practices, and scale smart.

Much of security today is generic best practices and checkbox olympics. Shame to waste resources on stuff noone really cares about! Better to map out the business' value streams, and invest efforts in protecting what is actually important.

Key takeaway: Strategic planning requires understanding your environment, your goals, and your challenges. Value-driven mapping techniques help you get there.

Web security is complex and evolving fast, with browsers playing a growing security role. This session explores core techniques to build secure apps and APIs, giving you the foundation to tackle more advanced web security topics.

Key takeaway: Learn how modern browsers approach security and how to build on that foundation to create secure web apps and APIs using proven core techniques.

In this talk, we will explore the massive potential of AI in secure code creation. This session will discuss techniques that will aid AI code creation engine to produce higher quality and more secure code.

Key takeaway: Actionable advice on using AI to generate secure code

In this session we'll dig into WASM, how it works, it's security features and how we can use it to host, extend and secure our applications by running it the WebAssembly System Interface (WASI).

Key takeaway: Understanding WASM, it's security features and how leverage those by integrating it into your application/software.

Using OAuth 2.0 in the frontend increases your attack surface. Learn why BFF is safer and how to defend against real-world token attacks.

Key takeaway: Frontend OAuth 2.0 patterns, even with token protections, leave apps exposed—real security comes from moving sensitive logic to a secure backend.