Full schedule for SecAppDev 2026

A technical deep dive into how Microsoft implements security, resilience, and regulatory compliance at scale—mapping NIS2, DORA, and Secure‑by‑Default principles to concrete controls, engineering processes, and tenant‑level protections

Key takeaway: Learn how regulatory requirements become enforceable controls, measurable metrics, and practical Secure‑by‑Default engineering across cloud systems

Post-Quantum Cryptography (PQC) answers the threat posed by quantum computers. We discuss the emerging standards and national agencies' recommendations for migration. We conclude with performance benchmarks and crypto agility challenges.

Key takeaway: If you have not yet developed a PQC migration strategy, you should do so in the next 6 months.

An up-to-date look at the browser security model, new browser features, and how mechanisms like the Sanitizer API, cookie prefixes, and script integrity help build more secure web applications.

Key takeaway: Understand how browsers think about security, and how to leverage modern browser features in your applications.

A practical and up-to-date overview of OAuth 2.1, covering core concepts, modern security best practices, and key extensions like PAR and DPoP, with guidance on applying them in real-world architectures and preparing for what’s coming next.

Key takeaway: Learn how to apply OAuth 2.1 best practices and supporting technologies to build secure applications and stay aligned with evolving standards.

This session explores real-world security risks in AI-assisted coding and presents best practices to mitigate them and securely integrate AI into the development lifecycle.

Key takeaway: AI is a powerful force multiplier, but only when paired with strong security practices, verification, and human oversight.

Cybersecurity shapes society. This talk shows how ethical frameworks can guide security analysis and design. It covers harms to privacy and property, transparency and disclosure, and AI impacts, all based on real-world cases.

Key takeaway: An increasingly digital society implies that software developers are facing more ethical issues; this requires critical reflection.

This talk traces crypto wars from limits on research and key escrow to Apple vs. FBI. It covers debates on scanning communications and EU plans for access to encrypted data, ending with privacy risks of the EU Digital Identity Wallet.

Key takeaway: Crypto wars show ongoing tension between privacy & surveillance, with growing risks to online privacy

This lecture introduces the concepts of dark patterns from interdisciplinary (HCI, privacy, and legal) literature to highlight the evolution of this UX design phenomena, with implications for the age of AI.

Key takeaway: Dark patterns are a persistent 'threat' to users in a different fashion; security perspectives can contribute to ongoing mitigation efforts.

Real breaches, analysed not for how they were exploited but for why they were exploitable. Each reveals a design omission that Secure by Design thinking could have caught — and a lesson you can apply to your own systems.

Key takeaway: Breaches have root causes deeper than the exploit. Learn to trace them back to design omissions

There's many known (and still being discovered) attack vectors against deep learning models. In this session, we'll walk through some of the history of adversarial ML and deep learning and find what's changed and what's stayed the same.

Key takeaway: AI/DL models are inherently nondeterministic and have other properties that allow for old, new and interesting attacks.

In this session, you'll dive into how this creates interesting vectors for privacy attacks on AI/ML systems. You'll also be introduced to what types of interventions might work to address such issues.

Key takeaway: Information exfiltration due to memorization is an interesting attack vector for today's AI/deep learning models.

TBD

Key takeaway: TBD

This training teaches engineers to use Claude Code with professional discipline: machine-readable requirements, secure coding prompts, and repeatable GitHub workflows. Participants learn to convert issues into structured plans, refine them before code generation, and enforce review gates for architecture, security, and quality. The course also covers repo governance files (CLAUDE.md, REQUIREMENTS.md, ARCHITECTURE.md, SECURITY.md) to constrain AI behavior and maintain traceability from requirements → plan → code → review.

Learning goal: Attendees will learn a disciplined workflow for using Claude Code professionally: defining machine-readable requirements, generating and reviewing implementation plans, enforcing architecture and security constraints, and producing AI-assisted code.

This workshop gives you hands-on experience with attacking large language models (LLMs) using a range of prompt-based strategies. You will actively explore how these attacks work in practice and what their impact is on real systems. The workshop also gives you insight into defensive techniques, and shows how architectural choices, testing approaches, and security observability can be used to strengthen applications built with generative models.

Learning goal: Practical strategies, best practices, and tools to improve the security posture of modern AI systems.