Modern AppSec Gotchas

We keep building better web frameworks full of built-in security features, but we keep finding new ways to work around them! Modern web developers can typically afford to take a lot for granted when it comes to appsec, with languages and frameworks that by default enforce many decent security practices. Browsers are getting better at automatically protecting users and blocking unsafe content as well. However, that just makes it all the more important to know why these helpful features are in place and how best to leverage them, instead of ignoring, fighting against or disabling them.

In this talk, we’ll explore common patterns where developers most often choose to forego the built-in protection offered by their tools of choice. We’ll cover where this happens, why it tends to happen, and how to catch these corner cases before they turn up in production. As a developer, it’s easy to be lured into the trap that security is “already taken care of” by that shiny new {NodeJS package/Golang framework/JSX-on-the-blockchain}, but we’ll also give some examples of insecure defaults in commonly relied on frameworks. Modern development comes with lots of helpful bells and whistles, but modern developers need to be more vigilant than ever when it comes to ensuring strong application security!