AppSec is Too Hard

Explore the challenges and misconceptions of application security in this 43-minute Devoxx conference talk. Delve into practical examples that demonstrate how frameworks and libraries can inadvertently compromise security, leading to recurring vulnerabilities. Learn about more robust approaches to AppSec, including strategies for improving security at scale. Examine specific cases involving React, HTML rendering, and JSON Web Tokens, and understand common pitfalls in implementing security features. Gain valuable insights on encapsulation, leveraging tools, and fostering security awareness to create more secure and manageable applications.

Intro
Good intentions
How do you build secure software
React example
Practical examples
HTML rendering
React dangerously set inner HTML
The solution
First takeaway
Documentation
Its not enough
Code Scan
Save HTML
Simplify your code
Zero findings
Encapsulation
Chasing Web Tokens
What is a JSON Web Token
Apache Pulsar vulnerability
Jot vulnerability
Dark mode
Open Source Documentation
Elginon Problem
Attack
Common Pitfalls
Json Web Tokens
Digital Signatures
Parse Claims
Key Rotation
What I need to learn
Why encapsulate
Flexibility
Netflix
Takeaways
Security Awareness
Encapsulate
Leverage tooling
Shameless plug