AppSec is too hard!?


Authors:   Philippe De Ryck


The presentation discusses the challenges of building secure applications and proposes solutions to improve the situation. The speaker uses examples of security issues with JSON Web Tokens and unsafe HTML components to illustrate the problem.
  • Developers want to build secure applications but still fail despite their best efforts
  • JSON Web Tokens have security issues that need to be addressed
  • Unsafe HTML components can lead to security vulnerabilities
  • Encapsulating security behavior in code can make it easier to apply security best practices at scale
  • Usable security for developers is necessary to improve the situation
The speaker uses the example of JSON Web Tokens to illustrate the security issues that can arise despite developers' best efforts. While JSON Web Tokens have some advantages, they also have some security issues that need to be addressed. The speaker emphasizes the need for usable security for developers to improve the situation.


Looking at available tools and features, it is easy to conclude that AppSec is shooting for the moon. Modern frameworks build security in by default, and vulnerable technologies are replaced by more secure alternatives. But regardless of all these good intentions, we see the same vulnerabilities popping up over and over again. Are we just careless when building applications, or is AppSec too hard? Throughout this talk, we review various cases where frameworks and libraries get in the way of security, paving the way for application-level vulnerabilities. With practical examples, we investigate more robust approaches to application security. The patterns we discuss will not only help you to improve the security of your applications but also make application security more manageable at scale.