Presented at
DEF CON 33 (2025),
Aug. 9, 2025, 9 a.m.
(240 minutes).
Traditional patching has failed to scale - it’s time for a new approach. This hands-on workshop teaches you to eliminate entire bug classes with modern browser security features instead of endlessly reacting to reports. Instead of firefighting the same issues, you’ll learn how Content-Security-Policy v3, Trusted Types, and Sec-Fetch-Metadata go beyond traditional OWASP recommendations to prevent vulnerabilities at scale.
You’ll work with a training app that’s already secured, but we’ll go further. By applying advanced browser defenses, testing effectiveness, and enforcing security at scale, you’ll experience firsthand how modern web standards protect both new and legacy systems.
This isn’t just about fixing issues - it’s about scaling security across an organization. We’ll explore measuring adoption across hundreds of services, automating enforcement, and applying defense-in-depth beyond single vulnerabilities.
Through interactive group challenges, you’ll tackle real-world vulnerabilities, enforce modern safeguards, and transform how you approach web security. Whether you’re a developer, security engineer, or architect, you’ll leave with practical tools and a proactive security mindset - moving from patching to prevention.
Presenters:
-
Javan Rasokat
- Application Security Architect and Security Researcher
Javan is a Senior Application Security Specialist at Sage, helping product teams enhance security throughout the software development lifecycle. On the side, he lectures Secure Coding at DHBW University in Germany. His journey as an ethical hacker began young, where he began to automate online games using bots and identified security bugs, which he then reported to the game operators. Javan made his interests into his profession and began as a full stack web and mobile engineer before transitioning into a passionate security consultant. Javan holds a Master’s degree in IT Security Management and several certifications, including GXPN, AIGP, CISSP, CCSP, and CSSLP. He has shared his research at conferences, including OWASP Global AppSec, DEFCON, and HITB.