Over the past few years, I’ve spent more time than I’d like to admit in the weeds — reviewing reports, fixing recurring bugs, writing guidance that never scales. Like many in AppSec, I’ve asked myself: Why are we still fixing the same bug classes in 2025 that we were in 2015?
This frustration was the starting point for something more ambitious: a shift from reactive patching to proactive prevention.
How it started
Inspired by Google’s Security Signals paper, I created a hands-on workshop internally at Sage. The goal wasn’t just to educate, but to create a structured space for engineers and security practitioners to experiment with browser-native defences and reflect on what it actually takes to implement them in practice — at scale, and in real systems.
We didn’t just test out CSP or Trusted Types. We talked about the hard bits:
- Deploying policies across hundreds of services
- Integrating modern defences into CI/CD
- Handling legacy apps without rewrite budgets
- Measuring adoption and driving change through product teams
And the impact was real — the workshop became a catalyst for deeper discussions during our internal Securing Sage Summit in May, especially around security headers, CSP deployment and cross-team ownership.
Scaling the message
This year, I’m excited that the same content is making its way to a wider audience.
I’ll be bringing both a talk and a workshop version of the material to Hacker Summer Camp 2025, including BSidesLV and DEF CON 33.
While the venues are different, the mission remains the same:
✅ Eliminate bug classes instead of fixing individual instances
✅ Enforce browser-level security practices
✅ Bring legacy and modern apps under the same secure baseline
✅ Scale AppSec practices without scaling AppSec teams
We’ll be covering modern browser defences like:
- “Strict” Content-Security-Policy
- Trusted Types
- Sec-Fetch-Metadata
But it’s not just a tech deep-dive, it’s a practical discussion on making security measurable, adoptable, and default.
Why this matters
There’s no shortage of security awareness content out there. But in my experience, awareness without enforcement creates a false sense of progress. The real challenge is in turning “best practice” into baseline — especially when dealing with dozens of teams, old systems, and business pressure.
Browser features offer a unique opportunity here: they’re enforceable, standardised, and available today. But adoption still lags because the implementation cost feels high — and that’s where practical guidance matters most.
That’s what I’ll be sharing this summer.
If you’re attending BSidesLV or DEF CON, feel free to reach out — happy to talk, share the workshop material, or just exchange stories from the trenches of making security stick.
If you’re not in Vegas, I plan to release parts of the workshop material here on javan.de after the conference.
Let’s stop firefighting and start fixing the root causes.
Agenda for Hacker Summer Camp 2025:
- BSidesLV
- Talk at Ground Floor, 14:00 Tuesday (5th August) | XSS is dead – Browser Security Features that Eliminate Bug Classes
- Workshop at Training Ground, 15:00-19:00 Tuesday (5th August) | Eliminating Bug Classes at Scale: Leveraging Browser Features for Proactive Defense
- DEF CON 33
- Talk at AppSecVillage (time to be scheduled) | The Death of XSS? Browser Security Features that Eliminate Bug Classes
- Workshop at DEF CON, LVCC – L2 – Workshops, 09:00-13:00 Saturday (9th August) | Eliminating Bug Classes at Scale: Leveraging Browser Features for Proactive Defense