Full schedule for SecAppDev 2025

Web security is complex and evolving fast, with browsers playing a growing security role. This session explores core techniques to build secure apps and APIs, giving you the foundation to tackle more advanced web security topics.

Key takeaway: Learn how modern browsers approach security and how to build on that foundation to create secure web apps and APIs using proven core techniques.

OpenAPI specs are more than docs—they can drive API security. Learn how to use them in spec/code-first workflows to find vulnerabilities, guide audits, and power security tools for testing, attacks, and runtime protection.

Key takeaway: A well-crafted OpenAPI spec can uncover security issues, guide audits, and power tools for testing, making it a key asset in your API security strategy.

Discover how bug bounty programs outperforms traditional AppSec tools by uncovering more vulnerabilities at lower cost. We share real-world examples, strategies, and challenging takes on conventional security practices.

Key takeaway: Bug bounty programs are essential and should be the key ingredient in modern AppSec programs.

Learn how to secure your CI/CD pipeline without slowing down. We cover risks, best practices, essential tools, real-world attacks, and how to justify your security investments.

Key takeaway: Secure CI/CD is achievable without sacrificing speed: start with key tools, embed best practices, and scale smart.

Using OAuth 2.0 in the frontend increases your attack surface. Learn why BFF is safer and how to defend against real-world token attacks.

Key takeaway: Frontend OAuth 2.0 patterns, even with token protections, leave apps exposed—real security comes from moving sensitive logic to a secure backend.

Threat modeling by yourself is great - noone is there to tell you you're wrong. But if you want to discover nontrivial issues, the ones you'd not have on your checklist, you'll need to engage with others. But too often we chase them away.

Key takeaway: Threat modeling is not JUST a technical activity, and should intentionally leverage social techniques to maximize stakeholders participation.

In this session we will walk through the engineer’s toolbox for protecting different types of data against common privacy threats. The talk is informed by existing practical tools as well as by modern research on data privacy.

Key takeaway: Privacy is an engineering responsibility, not only a legal or design issue. Privacy-preserving techniques are accessible and implementable today.

Lack of authority, an outsider's view of the development process and a faulty language of risk..Are security practitioners fated to point at risk and not be heard?

Key takeaway: "Raw" security can be fun, but does not lead to change. We must adapt our ways in order to impact the environment we want to protect.

Large Language Models (LLMs) open up a new realm of possibilities in application development, but they also pose significant challenges. Their non-deterministic nature and broad use cases complicate testing, while unpredictable failures (“hallucinations”) and novel attack vectors (“prompt injections”) add risk.

This workshop covers LLM-based applications, highlights unique threats, and offers hands-on testing and hardening techniques. Attendees will learn to set up and secure basic LLM-driven solutions in their organizations.

Learning goal: Learn how LLM applications work and are architected, the unique security challenges they introduce, and the current best practices in LLM security—along with their limitations.

Modern web applications rely heavily on frontend code, making browser security mechanisms crucial for protecting users and data. This hands-on workshop takes a deep dive into advanced frontend security for Angular / React / Vue applications.

Participants will explore real-world attack scenarios and implement defenses through guided exercises. Designed for developers and security professionals, this workshop blends academic depth with practical application, equipping attendees with the skills to secure modern frontends effectively.

Learning goal: Understand and apply state-of-the-art security mechanisms to protect modern frontends from real-world threats.