2025-08-05 –, Diamond
Traditional patching has failed to scale - it’s time for a new approach. This hands-on workshop teaches you to eliminate entire bug classes with modern browser security features instead of endlessly reacting to reports. Instead of firefighting the same issues, you’ll learn how Content-Security-Policy v3, Trusted Types, and Sec-Fetch-Metadata to go beyond traditional recommendations to prevent vulnerabilities at scale.
You’ll work with a training app that’s already secured, but we’ll go further. By applying advanced browser defenses, monitoring their effectiveness, and enforcing it at scale, you’ll experience firsthand how modern web standards protect both new and legacy systems.
This isn’t just about fixing issues - it’s about scaling security across an organization. We’ll explore measuring adoption across hundreds of services, automating enforcement, and applying defense-in-depth beyond single vulnerabilities.
Through interactive group challenges, you’ll tackle XSS vulnerabilities (among others) but not as you are used to it. Whether you’re a developer, security engineer, or architect, you’ll leave with practical tools and a proactive security mindset - moving from patching to prevention.
Fixing the same vulnerabilities over and over doesn’t scale. This workshop takes a different approach - eliminating entire bug classes (where we can) using latest browser security features (some are very new). With the new OWASP Proactive Controls list now including C6 browser security, it’s the perfect time to focus on prevention instead of endless patching.
I first ran this workshop inside my own organization, and even experienced AppSec leads found it eye-opening. The idea was inspired by some work happening behind closed doors at big tech companies, e.g. Google. One of the things made public was the Security Signals research paper by Google. I took those ideas, built on them, and created this hands-on training.
- Attendees will exploit vulnerabilities in a training app, then apply defenses like CSP v3, Trusted Types, and Sec-Fetch-Metadata to see their impact in real-time.
- Teams will compete to break and defend a web application using modern security headers and policies.
- We’ll analyze security breaches that could have been prevented with these mechanisms, making the session practical and engaging.
-
Attendees will learn how to measure and enforce adoption across an organization using their own automation, rather than relying on one-off fixes.
-
Many security workshops focus on finding and fixing individual bugs. This workshop shifts the perspective toward eliminating entire bug classes using modern browser security features.
- Unlike classic hands-on labs, this workshop helps attendees think at scale - how to enforce security measures across entire organizations, making it relevant to large enterprises as well as individual developers.
- Covers new web security standards that didn’t exist a few years ago, offering attendees fresh, actionable knowledge beyond OWASP basics.
- Unlike many offensive security workshops, this is a security-builder-focused session, empowering developers and security teams to integrate security-by-design.
Javan works as Senior Application Security Specialist at Sage, helping product teams enhance security throughout the software development lifecycle. On the side, he lectures Secure Coding at DHBW University in Germany. His journey as an ethical hacker began young, where he began to automate online games creating bots and identified security bugs, which he then reported to the game operators. Javan made his interests into his profession and began as a full stack web and mobile engineer before transitioning into a passionate security consultant. Javan holds a Master’s degree in IT Security Management and several certifications, including GXPN, AIGP, CISSP, CCSP, and CSSLP. He has shared his research at conferences, including OWASP Global AppSec, DEFCON, and HITB.