Javan Rasokat
Javan works as Senior Application Security Specialist at Sage, helping product teams enhance security throughout the software development lifecycle. On the side, he lectures Secure Coding at DHBW University in Germany. His journey as an ethical hacker began young, where he began to automate online games creating bots and identified security bugs, which he then reported to the game operators. Javan made his interests into his profession and began as a full stack web and mobile engineer before transitioning into a passionate security consultant. Javan holds a Master’s degree in IT Security Management and several certifications, including GXPN, AIGP, CISSP, CCSP, and CSSLP. He has shared his research at conferences, including OWASP Global AppSec, DEFCON, and HITB.
Sessions
Traditional application security is broken. We’re stuck in a cycle of bug bounties, vulnerability reports, and endless patching - yet the same issues keep resurfacing. Despite years of “shifting left,” vulnerabilities still slip into production, forcing security teams into constant firefighting. What if we could eliminate entire bug classes instead of fixing them one by one?
This talk explores how modern browser security features can automate and scale security, removing vulnerabilities without relying solely on developers remembering best practices. Powerful opt-in mechanisms like Content-Security-Policy v3, Trusted Types, and Sec-Fetch-Metadata can systematically prevent issues like XSS, CSRF, clickjacking, and cross-origin attacks.
Using real-world case studies, we’ll show how leading organizations have leveraged these browser-native protections to eliminate vulnerabilities at scale. We’ll cover practical ways to integrate these features, automate security headers, enforce secure defaults, and measure adoption effectively.
If you’re a developer or security engineer ready to move beyond endless patching and start building secure-by-design applications, this session is for you. Learn how to automate, scale, and forget entire bug classes by harnessing the latest advances in browser security.
Traditional patching has failed to scale - it’s time for a new approach. This hands-on workshop teaches you to eliminate entire bug classes with modern browser security features instead of endlessly reacting to reports. Instead of firefighting the same issues, you’ll learn how Content-Security-Policy v3, Trusted Types, and Sec-Fetch-Metadata to go beyond traditional recommendations to prevent vulnerabilities at scale.
You’ll work with a training app that’s already secured, but we’ll go further. By applying advanced browser defenses, monitoring their effectiveness, and enforcing it at scale, you’ll experience firsthand how modern web standards protect both new and legacy systems.
This isn’t just about fixing issues - it’s about scaling security across an organization. We’ll explore measuring adoption across hundreds of services, automating enforcement, and applying defense-in-depth beyond single vulnerabilities.
Through interactive group challenges, you’ll tackle XSS vulnerabilities (among others) but not as you are used to it. Whether you’re a developer, security engineer, or architect, you’ll leave with practical tools and a proactive security mindset - moving from patching to prevention.