Lessons learned the hard way: insights on secure web application design

By Amir Shaked

Elevator Pitch

It’s always when you’re under attack that you detect the poor design decisions you’ve made that made you vulnerable or that made it harder to fend off attackers. In this session I’ll cover some best practices I’ve collected over the years that can make a site secure by design and easier to protect.


In this session I’ll share lessons learned from my experience building large web services and applications, being a security researcher, and from helping customers fight live attacks and improve their own protections. Through all these I saw many bad design decisions that resulted in unnecessary vulnerabilities or simply made it much harder to protect the site from attacks.

In today’s world to efficiently protect your website and ensure it stays secure as it scales you need to consider the architecture, infrastructure, and development/devops processes so that security is part of the development lifecycle.

We will focus on design and implementation concepts on the infrastructure and software architecture, as well as best practices that are too frequently being overlooked, and can greatly improve your ability to secure the business logic and allow you to incorporate more sophisticated security features later on as you scale up and handle more users and more attacks.


All the examples here are from real cases, meaning someone, somewhere is still doing mistakes