Philippe De Ryck

Hi, I'm Philippe, and I help developers protect companies through better web security. As the founder of Pragmatic Web Security, I travel the world to teach practitioners the ins and outs of building secure software.

Want to learn more about OAuth 2.0 and OpenID Connect?

Save yourself days of digging through dozens of specs with this online course

More information

Resources Recorded sessions

Recorded sessions

Philippe regularly speaks at conferences around the world. This collection of recorded sessions is a treasure trove of security information. Don't hesitate to share these talks with your colleagues and friends!

The insecurity of OAuth 2.0 in frontends

In this talk, we take an in-depth look at the consequences of XSS in frontend OAuth 2.0 clients. We explore real-world attacker capabilities and map them against a concrete threat model.

SEVEN things about API security

In this talk, we delve into key vulnerabilities from the OWASP API Security top 10, demonstrate a practical exploitation example, and discuss two real-world case studies to guide you in enhancing your API security.

AppSec is too hard!?

In this keynote, we review various cases where frameworks and libraries get in the way of security, paving the way for application-level vulnerabilities. With practical examples, we investigate more robust approaches to application security.

Taking security seriously

In this talk, we take an honest look at the current security landscape. Using plenty of real-world examples, we dive into the dangers applications face today.

How security affects the people behind the code

This keynote reflects on several real-life security incidents and their impact on the people behind the code. From each incident, we will extract lessons learned and translate them into best practices for building secure software.

Forget about OAuth 2.0. Here comes OAuth 2.1

In this session, you will learn about the differences between OAuth 2.0 and OAuth 2.1, and how to follow current best practices to build a secure application architecture.

alert(‘OAuth 2.0’); // The impact of XSS on OAuth 2.0 in SPAs

In this webinar, we take an honest look at the dangers of XSS in SPAs. We discuss the impact on OAuth 2.0 along with current security best practices.

Securing React with Trusted Types

In this talk, we look at Trusted Types, a platform-based defense that will eradicate XSS vulnerabilities in frontends. We investigate how Trusted Types can stop typical React XSS attacks and how to enable Trusted Types for your entire application.

OAuth 2.0 and OpenID Connect for Single Page Applications

In this talk, we look at security best practices for using OAuth 2.0 and OpenID Connect in Single Page Applications. We discuss topics such as the Authorization Code flow, token theft, and a backend-for-frontend security pattern.

Serving the right recipe for API authentication

Authentication is a cornerstone of API security. This session explores several authentication recipes for different scenarios, enabling you to choose the right authentication mechanism for your application according to current best practices.

The parts of JWT security nobody talks about

JSON Web Tokens have become the de facto standard to represent claims securely. However, many of the more elaborate security features of JWTs are unknown. This talk covers advanced security best practices for JWT tokens.

Introduction to OAuth 2.0 and OpenID Connect

This talk will provides an introduction to both OAuth 2.0 and OpenID Connect. The talk covers their intended usage scenarios, along with best practices for using them securely.

Common API security pitfalls

Modern applications consist of a frontend application, backed by an API. In this session, we investigate common security issues in APIs, along with current best practices for building secure APIs.

Authentication with OpenID Connect in Angular applications

In this talk, we look at securely implementing OIDC in an Angular application. We investigate which flow to use in which scenario. We look at the security properties in OpenID Connect, and how to ensure your application respects them.

Angular and the OWASP top 10

The OWASP top 10 is one of the most influential security documents of all time. In this talk, we explore how the OWASP top 10 applies to Angular applications and discuss the most relevant items.

The truth about cookies, tokens and APIs

With the rise of Single Page Applications, cookies are being replaced with tokens in custom headers. We dive into the technicalities behind these technologies, and the actual security impact of your choices.

Security patterns for keeping secrets in the browser

In this talk, we investigate the strengths and weaknesses of browser-based storage mechanisms. We explore various security strategies to protect sensitive data. We even propose a way to protect data against physical access to the device.

Passwords and pixie dust - A look at OAuth 2.0 security in Angular

In this talk, we give an overview of the flows in OAuth 2.0 that are relevant for Angular applications. We also dive deeper into a recent addition to OAuth 2.0, known as PKCE.

From the OWASP top 10(s) to the OWASP ASVS

This talk will review the OWASP Top Ten 2017 and the OWASP Top Ten Proactive Controls 2018 and compare them to a more comprehensive standard, the OWASP Application Security Verification Standard (ASVS) v3.1.

HTTPS for developers

The HTTPS ecosystem today is vastly different than a couple of years ago. We look at how HTTPS impacts the application. We will see how merely deploying HTTPS is far from sufficient to secure an application.

Philippe De Ryck

Dr. Philippe De Ryck

Hi, I'm Philippe, and I help developers protect companies through better web security. As the founder of Pragmatic Web Security, I travel the world to teach practitioners the ins and outs of building secure software.

Talks and workshops

You will often find me speaking and teaching at public and private events around the world. My talks always encourage developers to step up and get security right.

Articles

Security is often about small nuances. In my articles, I dive deeper into various security topics, providing concrete guidelines and advice. My articles also answer questions I often get while speaking or teaching.

Security resources

Getting security right is all about knowledge. I strongly believe in sharing that knowledge to move forward as a community. Among my resources, you can find developer cheat sheets, recorded talks, and extensive slide decks.

Mailing list

Subscribe to the Pragmatic Web Security mailing list to stay up to date on the latest activities and resources.

Subscribe

\