Web Directions safe 2021

Global, OnlineDec. 3 & 10 2021

security, privacy, identity for front end developers

Day 1

  • December 3rd
  • 11:00am–3:00pm Sydney
  • 12:00pm–4:00pm London
  • 1:00pm–5:00pm New York

Set safer site defaults for today and tomorrow

Rowan Merewood, Developer Relations Engineer Chrome

The web has a history of being an over-sharer. Original defaults tended to allowing everything—with restrictions needing to be explicitly added by the site. Newer APIs follow the principle of least privilege, so that's better, but still have the challenge of maintaining backwards-compatibility leaves sites with a lot of responsibility to create a safe experience for visitors.

We'll explore how the platform is moving to safer defaults—from phasing out third-party cookies, removing passive fingerprinting surfaces, and enforcing cross-origin isolation. Alongside these ongoing efforts, we'll also go through the changes you can make today to protect your site—from improving cookie usage to locking down your third-party interactions. We will also explore some patterns for balancing appropriate collection of user information with protecting those same users from phishing or other forms of fraud.

Continuous Security - Building Security into your Pipelines

DeveloperSteve Coochin, Senior Dev Advocate Snyk

In the world of continuous delivery and cloud native, the boundaries between what is our application and what constitutes infrastructure is becoming increasingly blurred. Our workloads, the containers they ship in, and our platform configuration is now often developed and deployed by the same teams, and development velocity is the key metric to success.

This presents us with a challenge which the previous models of security as a final external gatekeeper step cannot keep up with. To ensure our apps and platforms are secure, we need to integrate security at all stages of our pipelines and ensure that our developers and engineering teams have tools and data which enable them to make decisions about security on an ongoing basis.

Break time

,

Time for a quick break for a cup of coffee or tea. Chat to fellow attendees and speakers. Or visit one of our fantastic partners.

Hardened JavaScript

Kris Kowal, Software Engineer Agoric

Running other people's code is dangerous and some people will even tell you that you shouldn't do it. I'm here to tell you that actually, you can run other people's code safely. The solution is hardened JavaScript.

Let's talk about JWT

Jessica Temporal, Sr. Developer Advocate Auth0

JSON Web Tokens, or JWTs for short, are all over the web. They can be used to track bits of information about a user in a very compact way and can be used in APIs for authorization purposes. Join me and learn what JWTs are, what problems it resolves, and how you can use JWTs on your applications.

Refreshment break

,

Need a quick breather? Or why not share your thoughts with others attending? We'll be back soon.

The State of XSS: Best practices for a secure web experience

Matthew Kairys, Lead Software Engineer DiUS

As the web continues to evolve, it’s become increasingly challenging for developers to build secure web experiences that users can trust. Cross-site scripting (XSS) attacks continue to exploit many trusted web applications today, resulting in malicious JavaScript being injected and executed within a user’s browser. This can lead to catastrophic results such as the user’s session being hijacked and having their personal data stolen.

This session will help you understand the latest developments in XSS and how to follow best practices to mitigate these types of attacks. You’ll walk away with a checklist to help validate that your applications are best secured to protect your users and digital brand.

Eliminating XSS by adopting Trusted Types

Bjarki Ágúst Guðmundsson, Security Engineer Google

Year after year, Cross-Site Scripting (XSS) continues to be the most expensive type of web vulnerability found in bug bounty programs. The most common variant of XSS occurs on the client side, when untrusted user input is passed to dangerous DOM APIs. Trusted Types is a novel web browser API designed to eliminate DOM-based XSS.

It locks down dangerous DOM sinks, asking developers to prove that input is safe by using an appropriate security policy to avoid triggering a Trusted Types violation. Analyzing results from Google's Vulnerability Reward Program, it has been shown to prevent at least 61% of DOM-based XSS that Google's static code analysis pipeline missed. In this talk we show how web applications can significantly strengthen their security posture against DOM-based XSS by adopting Trusted Types, as well as the steps required to identify, fix, and prevent future Trusted Types violations.

Day 2

  • December 10th
  • 11:00am–3:00pm Sydney
  • 12:00pm–4:00pm London
  • 1:00pm–5:00pm New York

The Art of Authentication & Authorization

Kim Maida, VP of Developer Relations Ionic

Authentication and authorization are daunting topics for many developers. Open standards for auth are well defined, but challenging to understand; OAuth, OIDC, JWT, IETF, PKCE?! I'll demystify the specs and concepts step-by-step, giving you the knowledge you need to tackle auth in your front-end apps.

Auth on the web: better experiences

Phil Nash, Developer Evangelist Twilio

It's a common practice to verify a phone number or implement two factor authentication by sending a one time password over SMS. We can all agree that it's a pretty terrible user experience though.

This process may increase security, but the friction can decrease conversion and the user experience in general. Android and iOS have APIs to combat this, so why not the web? In this talk we'll take a look at autocomplete and the WebOTP API to see how the web platform can help us build secure flows and a better experience all round.

Auth on the web: better authentication

Kelley Robinson, Account Security Developer Evangelist Twilio

New technology beyond is challenging the premise that we have to choose between more friction or more security for authenticating users. This talk will explore the benefits and drawbacks of frictionless authentication options beyond traditional one-time passcodes like biometrics, contextual data, or using devices as secure keys.

Voice recognition in call centers saves both the user and the agent time and frustration. IP address validation is a fast way to trigger additional checks. Device fingerprinting provides a seamless user experience for repeat visitors.

These kinds of frictionless background authentication checks have been deployed to increase trust and improve user experience but aren't a perfect solution: algorithms have bias, IP addresses can be spoofed, and people lose devices.

This talk will walk through three categories of frictionless authentication: biometrics, contextual data, and using devices as keys. We'll discuss the pros and cons of different solutions, including how to make your users feel secure when they don't see the security happening. Finally, we'll offer recommendations for adding frictionless authentication to your application.

Refreshment break

,

Need a quick breather? Or why not share your thoughts with others attending? We'll be back soon.

Credentials management on the modern web

Maye Edwin, Senior Software Engineer Sky.Garden

With how reachable the web is, everyone is building apps that run on it to target its massive number of users. Many of these web apps require sign-ups or authentication of some form. Learn how to build your web app around one of its core tenets - safety and how you could use the Credential API to build a robust and secure web app on the modern web.

Introduction to cryptography on the frontend

Dan Draper, Founder & Chief Stashie CipherStash

Cryptography forms the backbone of how we securely use information online, but most developers don’t have more than a surface level understanding of cryptography. What's more, cryptography is so easy to mess up - even the experts get it wrong!

In this talk, attendees will learn about the basic cryptographic algorithms, how to use cryptographic libraries correctly (and what to avoid), what common attacks you should be thinking about, and what emerging web cryptography technologies you should be paying attention to.

Pay the Web Forward

Alex Lakatos, Technology Lead Interledger Foundation

Trying to get paid on the Web today, as a creator, is broken and unfair. 70% of ad spend globally goes to only 2 platforms. Until recently, the Web couldn't natively compete.

A new W3C Standard proposal, Web Monetization, uses the Interledger Protocol to enable developers like you to make money from your work in an open, native, and seamless way. And all that with as little as a single line of HTML!

Break time

,

Time for a quick break for a cup of coffee or tea. Chat to fellow attendees and speakers. Or visit one of our fantastic partners.

HTTP/3: Fast and Secure, but Complex

Robin Marx, Postdoctoral researcher KU Leuven

TBF

Getting Some Privacy on the Web

Robin Berjon, VP Data Governance The New York Times

Privacy feels hard — but it doesn't need to be. If we move past a few confusing notions and the idea that we have to get everything perfectly right immediately, we can find ways to know what needs to be done and to get there step by step.

Attend your way

Attend Safe online, or as part a membership to our comprehensive conference platform, Conffab.

Conffab features hundreds of conference videos from our conferences, and other great conferences around the world.

Conffab Premium

  • Safe conference

  • all 2021 online conferences live

  • all 2021 conference videos

  • Conffab presentation library

  • $595 annually
  • $59 monthly

Safe+

  • Safe conference

  • Safe conference videos

  • Conffab presentation library

  •  

  • $295 early bird
  • $395 Standard

Safe classic

  • Safe conference

  • Safe conference videos

  •  
  •  
  • $195 early bird
  • $295 Standard

Safe Conference
July 2021

  • 2 in-depth sessions
  • 8+ hours of content
  • World Leading experts
  • Hallway Track
tick to indicate this is included tick to indicate this is included tick to indicate this is included

Safe Conference Videos

All the Safe conference presentations, captioned, transcribed and more

tick to indicate this is included tick to indicate this is included tick to indicate this is included

Conffab Presentation Library

1 year access to our growing library of hundreds of conference presentation videos from world leading conferences

tick to indicate this is included tick to indicate this is included

All 2021 online Web Directions conferences

Access to all 6 planned online Web Directions conferences in 2021–50+ hours of content.

tick to indicate this is included

Find the conference pass for you

Attend your way

Attend Safe online, or as part a membership to our comprehensive conference platform, Conffab.

Conffab features hundreds of conference videos from our conferences, and other great conferences around the world.

Conffab Premium

  • Safe conference

  • all 2021 online conferences live

  • all 2021 conference videos

  • Conffab presentation library

  • $595 annually
  • $59 monthly

Conffab Premium

Safe+

  • Safe conference

  • Safe conference videos

  • Conffab presentation library

  •  

  • $295 early bird
  • $395 Standard

Register Safe+

Safe classic

  • Safe conference

  • Safe conference videos

  •  
  •  
  • $195 early bird
  • $295 Standard

Register Safe Classic

Partners

We work closely with our partners and their technologies to deliver world leading online conferences.

Contact us for more on how we work can work with you to help you be even more awesome.

Praise for past Web Directions events

Phil Whitehouse
Web Directions is the must-attend event of the year for anyone serious about web development.

Phil Whitehouse,
Innovation Lead DigitasLBi

Ethan Marcotte
I’ve been admiring the Web Directions events for years, and was honored to be part… What a fantastic event!

Ethan Marcotte,
inventor "responsive Web design"

Dave Greiner
Out of any conference, Web Directions is far and away our favourite

Dave Greiner,
founder Campaign Monitor

About Us

Co-founded and now run by John Allsopp, Web Directions has for over 15 years brought together leading developers, engineers, visual, IxD, UX and product designers, Art and Creative Directors, product managers indeed everyone involved in producing web and digital products to learn from one another, and the World's leading experts across this vast field.

We spend our lives thinking about what comes next, keeping up with trends in technology, practices and processes, and filtering the hype, to make sure you don't miss trends that matter, and don't waste time on hype that doesn't.

We promise attending one of our events will leave you significantly better versed in the challenges you face day to day, and in solutions for addressing them.

Due to the COVID-19 pandemic, we're switching things up a bit for 2020, 2021 (and beyond). We're delivering 6 highly focussed front end development conferences online.

We hope our annual extravaganza, Web Directions Summit will take place in Sydney as soon as it is practicable.

vignettes from our events, social, speakers and more. Includes Hannah Donovan skylarking.

John Allsopp

John Allsopp has been working on the Web for nearly 30 years. He's been responsible for innovative developer tools such as Style Master, X-Ray and many more. He's spoken at numerous conferences around the World and delivered dozens of workshops in that time as well.

His writing includes two books, including Developing With Web Standards and countless articles and tutorials in print and online publications.

His "A Dao of Web Design" published in 2000 is cited by Ethan Marcotte as a key influence in the development of Responsive Web Design, who's acclaimed article in 2010 begins by quoting John in detail, and by Jeremy Keith as "a manifesto for anyone working on the Web".

Code of Conduct

For over a decade, we've worked hard to create inclusive, fun, inspring and safe events for the Web Industry.

As part of our commitment to these values, we've adopted a code of conduct for all involved: ourselves, our speakers, our partners and our audience.

If you have any concern or feedback, please don't hesitate to contact us.