Security vulnerabilities in software are almost always a result of malicious user input. The solution then, of course, is to securely sanitize all user data to avoid any issues. But, in a large application, there are numerous places this sanitation can happen. To name a few, the data can be validated when it first arrives or it can be encoded when it is exported back to the user or sent to a backend service such as a database.

In this session, I will cover the best places to sanitize user data to avoid security issues and the advantages and disadvantages to each approach in your code.

How quickly does your application respond to security threats?

Most applications rely on security logs (assuming they are present) sent to a monitoring repository, where they are correllated against other activity, analyzed for risk, and responded to when the monitoring team has time.

At that point, an attacker may already have breached the application, or gotten enough information to come back later. Instead, what if we allowed the application to block malicious activity automatically before it had time to become an issue?

In this session, I will present several strategies for developing traps and pitfalls within an application that can catch hacker behavior, and even block the offending user, before any damage is done.

We all know that Application Security is one of those things that we should worry about. The time to worry about it is not at 3am when the production server is down. But finding the right places to get started and getting success, or something that feels like success can be absolutely excruciating. Which is one of the reasons that it falls just above documentation in the list of priorities for most development teams. In this session we will talk about the ways that we can GREATLY improve the security of our applications, while playing games, making small changes, and light process changes.