2025-08-05 –, Florentine E
Traditional application security is broken. We’re stuck in a cycle of bug bounties, vulnerability reports, and endless patching - yet the same issues keep resurfacing. Despite years of “shifting left,” vulnerabilities still slip into production, forcing security teams into constant firefighting. What if we could eliminate entire bug classes instead of fixing them one by one?
This talk explores how modern browser security features can automate and scale security, removing vulnerabilities without relying solely on developers remembering best practices. Powerful opt-in mechanisms like Content-Security-Policy v3, Trusted Types, and Sec-Fetch-Metadata can systematically prevent issues like XSS, CSRF, clickjacking, and cross-origin attacks.
Using real-world case studies, we’ll show how leading organizations have leveraged these browser-native protections to eliminate vulnerabilities at scale. We’ll cover practical ways to integrate these features, automate security headers, enforce secure defaults, and measure adoption effectively.
If you’re a developer or security engineer ready to move beyond endless patching and start building secure-by-design applications, this session is for you. Learn how to automate, scale, and forget entire bug classes by harnessing the latest advances in browser security.
I also submitted this talk as a workshop as I do have great set of practical challenges for it created. But I would also (,if the workshop isn't accepted) present this as a talk as I can also pitch this new approach and idea as talk. With the new OWASP Proactive Controls list now including C6 browser security, it’s the perfect time to focus on prevention instead of endless patching.
I first ran this as a workshop inside my own organization, and even experienced AppSec leads found it eye-opening. The idea was inspired by some work happening behind closed doors at Google, they basically influenced the standards that we are talking about. One of the things made public was the Security Signals research paper by Google. I took those ideas, built on them, and created a hands-on training with practical challenges using those new features to secure an app in-depth, aside from the traditional securing the challenges rely on the browser features.
Javan works as Senior Application Security Specialist at Sage, helping product teams enhance security throughout the software development lifecycle. On the side, he lectures Secure Coding at DHBW University in Germany. His journey as an ethical hacker began young, where he began to automate online games creating bots and identified security bugs, which he then reported to the game operators. Javan made his interests into his profession and began as a full stack web and mobile engineer before transitioning into a passionate security consultant. Javan holds a Master’s degree in IT Security Management and several certifications, including GXPN, AIGP, CISSP, CCSP, and CSSLP. He has shared his research at conferences, including OWASP Global AppSec, DEFCON, and HITB.