We keep building better web frameworks full of built-in security features, but we keep finding new ways to work around them! Modern web developers can typically afford to take a lot for granted when it comes to appsec, with languages and frameworks that by default enforce many decent security practices. Browsers are getting better at automatically protecting users and blocking unsafe content as well. However, that just makes it all the more important to know why these helpful features are in place and how best to leverage them, instead of ignoring, fighting against or disabling them. In this talk, we'll explore common patterns where developers most often choose to forego the built-in protection offered by their tools of choice. We'll cover where this happens, why it tends to happen, and how to catch these corner cases before they turn up in production. As a developer, it's easy to be lured into the trap that security is "already taken care of" by that shiny new {NodeJS package/Golang framework/JSX-on-the-blockchain}, but we'll also give some examples of insecure defaults in commonly relied on frameworks. Modern development comes with lots of helpful bells and whistles, but modern developers need to be more vigilant than ever when it comes to ensuring strong application security!

Fletcher is the founder and CEO of [Hunter2](https://hunter2.com), a company that provides engineering teams with modern appsec training that isn't lame; through an online platform of interactive labs, developers get hands-on practice exploiting and patching up real applications. Fletcher previously ran Real Python, an online community of hundreds of thousands learning modern web development and programming practices.

Back to Circle City Con 2019 Videos list