SecAppDev 2026 - Architecture

A practical and up-to-date overview of OAuth 2.1, covering core concepts, modern security best practices, and key extensions like PAR and DPoP, with guidance on applying them in real-world architectures and preparing for what’s coming next.

Key takeaway: Learn how to apply OAuth 2.1 best practices and supporting technologies to build secure applications and stay aligned with evolving standards.

Security is a design concern, not just an implementation concern. This session shows how domain modelling, type design, and boundary thinking can structurally eliminate entire classes of vulnerability - before attackers ever get a chance.

Key takeaway: Security is a quality aspect of software - like maintainability or correctness. Teams that design for quality get security as an emergent benefit

An introduction to the Model Context Protocol (MCP) and its security risks. Covers MCP architecture, threat models, and practical defenses to prevent prompt injection, tool abuse, and data leakage in AI tool integrations.

Key takeaway: Understand MCP risks and apply concrete controls to secure AI tool integrations and prevent prompt injection, tool abuse, and data exfiltration.

Real breaches, analysed not for how they were exploited but for why they were exploitable. Each reveals a design omission that Secure by Design thinking could have caught — and a lesson you can apply to your own systems.

Key takeaway: Breaches have root causes deeper than the exploit. Learn to trace them back to design omissions

Learn the problems and solutions of combining "trusted" and "untrusted" JavaScript. We introduce secure dialects of JavaScript and practical tools that help to prevent supply-chain attacks from third-party modules.

Key takeaway: Learn how to get "trusted" and "untrusted" JavaScript to safely co-exist in your app.