Talk

Security Risk: Single-Page Applications

Conference
Security
Voting no longer possible
Voting enabled when talk has started

Single-page applications are very popular nowadays, and for this reason, current frontends are predominantly executed as Javascript applications entirely in the user's web browser.

However, from a security perspective, SPAs bring a much higher risk compared to server-side web applications such as Spring MVC.

In this talk, we will look at the popular SPA libraries Angular, React and Vue and take a closer look at their security aspects. In particular, we will look at security risks such as cross-site scripting (XSS), cross-site request forgery (CSRF), token-based authentication risks, and CORS misconfigurations.

In order not to leave developers unprotected in the rain, we will analyze the built-in defenses of the various SPA libraries or frameworks and show what steps are required beyond that for developers. So be prepared for some XSS popups to appear in your favorite SPAs.

The talk is aimed at software developers, architects, and anyone interested in security alike. Basic prior knowledge of how web applications work is necessary to understand the talk. Knowledge of a programming language such as Java or Javascript is helpful, but not mandatory.


Andreas Falk

Novatec Consulting

Andreas Falk has been working on enterprise application development projects for more than twenty years.


Currently, he is working as a managing consultant for Novatec Consulting, located in Germany. In various projects, he has since been around as an architect, developer, coach, and trainer. His focus is on the agile development of cloud-native enterprise Java applications using the complete Spring platform. As the lead of agile security at Novatec Consulting and a member of the Open Web Application Security Project (OWASP), he likes to have a closer look at all aspects of application security as well.


Andreas is also a frequent speaker at conferences like Devoxx, Spring I/O, CloudFoundry Summit, and OWASP.