SecAppDev 2026 lecture details
Designing "least-authority" JavaScript apps
Learn the problems and solutions of combining "trusted" and "untrusted" JavaScript. We introduce secure dialects of JavaScript and practical tools that help to prevent supply-chain attacks from third-party modules.
Tuesday June 2nd, 16:00 - 17:30
Room West Wing
Abstract
How can trusted and untrusted JavaScript modules safely co-exist within the same application runtime? Integrating untrusted code is more common than you may think: your app may load third-party scripts as "plug-ins", or perhaps your app relies on third-party modules installed via a package manager. We discuss how JS modules can be better "isolated" from one another, independent of whether you’re using JS in the front-end or back-end. We introduce secure dialects of JavaScript and practical tools that are available to help prevent supply-chain attacks from third-party modules.
Key takeaway
Learn how to get "trusted" and "untrusted" JavaScript to safely co-exist in your app.
Content level
Deep-dive
Target audience
Web developers, full-stack engineers, web application software architects
Prerequisites
We assume some familiarity with the JavaScript programming language.
Join us for SecAppDev. You will not regret it!
Grab your seat now
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
OAuth 2.1 Best Practices
Deep-dive lecture by Philippe De Ryck in room Lemaire
Monday June 1st, 16:00 - 17:30
A practical and up-to-date overview of OAuth 2.1, covering core concepts, modern security best practices, and key extensions like PAR and DPoP, with guidance on applying them in real-world architectures and preparing for what’s coming next.
Key takeaway: Learn how to apply OAuth 2.1 best practices and supporting technologies to build secure applications and stay aligned with evolving standards.
Secure by Design — Ideas and Techniques
Introductory lecture by Dan Bergh Johnsson and Daniel Deogun in room West Wing
Monday June 1st, 11:00 - 12:30
Security is a design concern, not just an implementation concern. This session shows how domain modelling, type design, and boundary thinking can structurally eliminate entire classes of vulnerability - before attackers ever get a chance.
Key takeaway: Security is a quality aspect of software - like maintainability or correctness. Teams that design for quality get security as an emergent benefit
Model Context Protocol (MCP) Security
Advanced lecture by Jim Manico in room West Wing
Tuesday June 2nd, 11:00 - 12:30
An introduction to the Model Context Protocol (MCP) and its security risks. Covers MCP architecture, threat models, and practical defenses to prevent prompt injection, tool abuse, and data leakage in AI tool integrations.
Key takeaway: Understand MCP risks and apply concrete controls to secure AI tool integrations and prevent prompt injection, tool abuse, and data exfiltration.