Room 3 

09:00 - 17:00 


2 Days

A Builder's Guide to Securing Modern Applications

Securing modern web applications is hard, really hard. Not only do you have to make the right architectural security decisions, but you also have to be aware of various implementation vulnerabilities in both frontend apps and APIs. Common failures result in data extraction or complete system compromise.


Through in-depth lectures, hands-on labs, live demos and interactive quizzes, this workshop will teach you how to build secure applications for the modern web. We explore fundamental challenges that drive the design of your applications. We also introduce common vulnerabilities in frontend and backend and investigate relevant defenses. Additionally, we dive into coding guidelines and defense-in-depth strategies that allow you to increase the security of your applications.

Concretely, we will cover the following topics in this hands-on training:

  • The security model of modern web applications
  • Cross-Site Scripting problems in modern frontends
  • Using Trusted Types to eradicate XSS vulnerabilities
  • Assessing and improving your authorization policies
  • JWT security failures in modern applications
  • API security testing to avoid common misconfigurations
  • Server-Side Request Forgery (SSRF) attacks and defenses
  • Q & A throughout the workshop

At the end of this workshop, you will understand modern application security best practices and you walk away with a list of actionable items to assess and improve the security of your applications.

Who should attend?

This security training specifically targets developers and architects building modern web frontends / APIs. Anyone involved in building, testing, and designing modern applications should be here. This training course gives you an up-to-date and in-depth look at current security best practices. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.


These testimonials from previous workshops give you a good idea of what to expect:

  • Trainer is great and an expert in the domain. All of the topics are very relevant. Practical examples for most of the topics. Excellent communication and addressing of questions.
  • Even though the topic is broad, there was no single moment where my focus went astray. Philippe talks in a way to keep you interested to listen to him.
  • I liked the the pleasant and relaxed way of speaking and the fresh style of presentation of this kind of dry stuff :)
  • Philippe is a friendly and knowledgable trainer and delivered an interesting course that was well presented. Questions were answered promptly and in a detailed way.


To participate in this training, you should have development experience with web applications and APIs. Familiarity with the basics of security is helpful but not required. The training will include Angular / React / NodeJS / Java Spring / .NET Core examples but is just as relevant for other frameworks and technologies.

Computer setup

To participate in the lab sessions, participants need a computer with a full-featured modern browser installed (E.g., Chrome, Firefox).

Philippe De Ryck

Philippe De Ryck specializes in making web security accessible to developers and architects, leveraging his Ph.D. from KU Leuven to inform his comprehensive understanding of security challenges. As the founder of Pragmatic Web Security, he provides practical security training and consulting services to organizations worldwide.

His online course platform offers a self-paced approach to learning about security. Philippe also actively helps shape OAuth 2.0 best practices as the co-author of the best practices for browser-based apps specification.

Philippe is recognized as a Google Developer Expert, acknowledging his contributions to web application and API security. He also organizes SecAppDev, an annual week-long application security course in Belgium.