Jakub Andrzejewski

Security in modern Web Applications - OWASP to the rescue!

Could a malicious NPM package give attackers a reverse shell into your system? Learn how this simple mistake compromised companies like PayPal, Microsoft, and Netflix.

Security in modern Web Applications - OWASP to the rescue!
#1about 3 minutes

Frontend developers now share responsibility for application security

Modern full-stack frameworks like Nuxt.js and Next.js shift security concerns from being backend-only to involving frontend developers.

#2about 3 minutes

Why security is often neglected in development

The push to deliver features quickly often leads development teams to overlook critical aspects like security, performance, and accessibility.

#3about 2 minutes

Understanding the OWASP Top 10 for web security

The OWASP Top 10 is a standard awareness document that provides a starting point for understanding the most critical web application security risks.

#4about 3 minutes

Common web application threats like injection and DoS

Explore common vulnerabilities from the OWASP list, including SQL injection, cross-site scripting (XSS), broken access control, and denial-of-service (DoS) attacks.

#5about 1 minute

Leveraging OWASP resources like cheat sheets and ZAP

OWASP provides valuable resources for developers, including technology-specific cheat sheets and the ZAP penetration testing tool to identify vulnerabilities.

#6about 2 minutes

The danger of dependency confusion in NPM packages

Malicious NPM packages with the same name as private packages can be fetched from public registries, leading to severe security breaches.

#7about 2 minutes

Implementing security with native HTTP security headers

Use HTTP response headers like Content-Security-Policy to instruct the browser on how to handle resources, enhancing security for both dynamic and static sites.

#8about 2 minutes

Managing browser permissions and basic authentication

You can programmatically block access to sensitive browser APIs like geolocation and implement simple basic authentication for access control.

#9about 4 minutes

A practical demonstration of the nuxt-security module

See a live demo of the `nuxt-security` module automatically adding security headers, blocking XSS attempts, rate limiting requests, and enabling basic auth.

#10about 2 minutes

Introducing a new out-of-the-box security module for Next.js

A new security module is being developed for Next.js and React to provide the same easy-to-implement security features as its Nuxt counterpart.

#11about 1 minute

The goal is to make systems too difficult to break

Since no system is truly unbreakable, the primary goal of security is to make your application so time-consuming to compromise that attackers give up.

#12about 2 minutes

Answering questions on LLM injection and header implementation

The Q&A session covers the possibility of LLM injection attacks in future OWASP lists and clarifies the best practice of using server-level headers over `http-equiv`.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Essential web security best practices beyond SPAs
33:09 MIN

Essential web security best practices beyond SPAs

A Primer in Single Page Application Security (Angular, React, Vue.js)

A seven-step guide to securing modern web apps
36:35 MIN

A seven-step guide to securing modern web apps

Full-stack role-based authorization in 45 minutes

Understanding common web and API vulnerability classes
1:15:27 MIN

Understanding common web and API vulnerability classes

Software Security 101: Secure Coding Basics

Applying typed security to OWASP vulnerabilities
21:01 MIN

Applying typed security to OWASP vulnerabilities

Typed Security: Preventing Vulnerabilities By Design

Why developers make basic cybersecurity mistakes
00:28 MIN

Why developers make basic cybersecurity mistakes

Don't Be A Naive Developer: How To Avoid Basic Cybersecurity Mistakes

Focusing on key OWASP Top 10 risks for developers
04:13 MIN

Focusing on key OWASP Top 10 risks for developers

Delay the AI Overlords: How OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue

Identifying top security risks with the OWASP Top 10
05:12 MIN

Identifying top security risks with the OWASP Top 10

Plants vs. Thieves: Automated Tests in the World of Web Security

Hands-on security training for developers
14:17 MIN

Hands-on security training for developers

How GitHub secures open source

Featured Partners

Related Videos

See all videos
Cross Site Scripting is yesterday's news, isn't it?30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

Bullet-Proof APIs: The OWASP API Security Top Ten25:46

Bullet-Proof APIs: The OWASP API Security Top Ten

Christian Wenz

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

What The Hack is Web App Sec?24:01

What The Hack is Web App Sec?

Jackie

Security Pitfalls for Software Engineers27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

Friend or Foe? TypeScript Security Fallacies27:41

Friend or Foe? TypeScript Security Fallacies

Liran Tal

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

From learning to earning

Jobs that call for the skills explored in this talk.