Speaker Details

Philippe De Ryck
Pragmatic Web Security

Philippe De Ryck specializes in making web security accessible to developers and architects, leveraging his Ph.D. from KU Leuven to inform his comprehensive understanding of security challenges. As the founder of Pragmatic Web Security, he provides practical security training and consulting services to organizations worldwide. His online course platform offers a self-paced approach to learning about security. Philippe also actively helps shape OAuth 2.0 best practices as the co-author of the best practices for browser-based apps specification. Philippe is recognized as a Google Developer Expert, acknowledging his contributions to web application and API security. He also organizes SecAppDev, an annual week-long application security course in Belgium.

Everyone agrees that Cross-Site Scripting (XSS) is a real threat to browser-based applications, yet many underestimate its true power. Common practices like using Single Page Applications as OAuth 2.0 clients, with techniques such as refresh token rotation, fail to account for real-world attackers.

This talk will demonstrate two concrete hacks against frontend OAuth 2.0 clients, highlighting the underlying vulnerabilities. We will explore how to address these security shortcomings by introducing structural solutions like the Backend-for-Frontend pattern. By the end of this session, you will be fully up to speed with the latest updates to the "OAuth 2.0 for Browser-based Apps" specification, co-authored by the presenter. You will walk away with a solid understanding of OAuth 2.0 security in frontends and best practices for securing sensitive applications.

More

Searching for speaker images...