Philippe De Ryck

@[email protected]
313 Followers
21 Following
26 Posts
I help developers protect companies through better web security
Websitehttps://pragmaticwebsecurity.com
Philippe De RyckApr 9, 2025

I'm running another edition of my OAuth / OIDC masterclass this May.

Come learn everything you ever wanted to know about OAuth 2.0 and OpenID Connect best practices in four 3-hour sessions. This course guides you through the complexities of OAuth and OIDC, covering the latest best practices for browser-based apps, API security, and high-security OAuth configurations.

Take advantage of early bird and group (3+) discounts and secure your spot today! #appsec https://ti.to/pragmatic-web-security/oauth-security-may-2025-eur

Mastering OAuth 2.0 and OIDC Security (May 2025, EUR)

OAuth 2.0 and OpenID Connect have become cornerstone technologies for most modern applications. Unfortunately, these technologies are insanely complex to grasp, making it hard to use them securely. This workshop takes you on a step-by-step journey into the world of OAuth 2.0 and OpenID Connect. We start with understanding best practices for building secure applications with OAuth 2.0 and OIDC. Next, we will level up your OAuth 2.0 security using the latest state-of-the-art security mechanisms. During this two-day hands-on training, spread out over four half days, we'll explore a broad range of OAuth 2.0 and OIDC topics. The outline below illustrates what the workshop will look like. Day 1 Introduction to OAuth 2.0 and OpenID Connect Architecture patterns using OAuth 2.0 and OpenID Connect Best practices for securing OAuth 2.0 and OIDC flows Understanding OAuth 2.0 security in frontends Breaking OAuth 2.0 security in frontends Securing OAuth 2.0 with the Backend-For-Frontend pattern Securing APIs with OAuth 2.0 Demos and practical examples throughout the day Day 2 Using scopes and permissions in OAuth 2.0 Advanced use cases for OAuth 2.0 and OpenID Connect Handling delegation scenarios in modern architectures Security best practices for confidential OAuth 2.0 clients Reducing access token authority with Resource Indicators Using sender-constrained tokens with mTLS and DPoP Securing OAuth 2.0 flows with JAR and PAR Advanced attacks and defenses against OAuth 2.0 flows Demos and practical examples throughout the day This workshop is here to give you the skills you need to design architectures using OAuth 2.0 and OpenID Connect, to assess the security of your applications, and to enhance them using the latest best practices. In-depth lectures, real-world demos, fun quizzes, and practical examples will guide you through the complex landscape of OAuth 2.0 and OpenID Connect. Ticket prices in EUR and event timing displayed for the Central European time zone. This course page offers access to the same course with prices in USD.

Tito
Philippe De RyckJan 29, 2025
This cheat sheet gives you an overview of current best practices for using OAuth 2.0. Grab a PDF copy here (https://buff.ly/4jCred1). If you want to learn more about these topics, this masterclass covers it all! https://buff.ly/3PnrZJ6 The early-bird rate has been extended for a few more days, so grab a ticket now!
Pragmatic Web Security

Pragmatic Web Security Email Forms

Philippe De RyckJan 23, 2025
Today, I'm doing back-to-back talks at NDC Security 2025. In this second talk, I'm discussing how a previous talk at NDC resulted in me joining as a co-author of the OAuth spec for browser-based apps, doing a full rewrite to accurately reflect security risks and best practices. A copy of the slides is available here: https://buff.ly/4fMgG8Z #appsec #infosec
Breaking and securing OAuth 2.0 in frontends

Discover the underestimated threat of Cross-Site Scripting (XSS) in OAuth 2.0 Single Page Applications. Learn about hacks on frontend OAuth clients and explore solutions like the Backend-for-Frontend pattern, ensuring secure implementations of OAuth 2.0.

Pragmatic Web Security
Philippe De RyckJan 23, 2025
I am talking about API security at NDC Security 2025. Using real-world cases, we discuss a couple of do's and don'ts that can help you secure your APIs. You can grab a copy of the slides here: https://buff.ly/46TtghZ #appsec #infosec
Breaking and securing OAuth 2.0 in frontends

Discover the underestimated threat of Cross-Site Scripting (XSS) in OAuth 2.0 Single Page Applications. Learn about hacks on frontend OAuth clients and explore solutions like the Backend-for-Frontend pattern, ensuring secure implementations of OAuth 2.0.

Pragmatic Web Security
Philippe De RyckJan 14, 2025
Neil MaddenJan 13, 2025

Interesting, looks like the latest Servlet spec contains explicit rules around URI path normalization including some WAF-like rules for rejecting suspicious requests:

https://jakarta.ee/specifications/servlet/6.0/jakarta-servlet-spec-6.0.html#uri-path-canonicalization

Jakarta Servlet Specification

Philippe De RyckJan 6, 2025

I hope you enjoyed the EOY festivities, and wish you the best for 2025 🎉

I am kicking off 2025 with a new live interactive training on Mastering OAuth 2.0 and OpenID Connect. This course guides you through the complexities of OAuth and OIDC, covering the latest best practices for browser-based apps, API security, and high-security OAuth configurations.

Take advantage of early bird and group (3+) discounts and secure your spot today! All info available here: https://ti.to/pragmatic-web-security/oauth-security-feb-2025 #appsec

Mastering OAuth 2.0 and OIDC Security (February 2025)

OAuth 2.0 and OpenID Connect have become cornerstone technologies for most modern applications. Unfortunately, these technologies are insanely complex to grasp, making it hard to use them securely. This workshop takes you on a step-by-step journey into the world of OAuth 2.0 and OpenID Connect. We start with understanding best practices for building secure applications with OAuth 2.0 and OIDC. Next, we will level up your OAuth 2.0 security using the latest state-of-the-art security mechanisms. During this two-day hands-on training, spread out over four half days, we'll explore a broad range of OAuth 2.0 and OIDC topics. The outline below illustrates what the workshop will look like. Day 1 Introduction to OAuth 2.0 and OpenID Connect Architecture patterns using OAuth 2.0 and OpenID Connect Best practices for securing OAuth 2.0 and OIDC flows Understanding OAuth 2.0 security in frontends Breaking OAuth 2.0 security in frontends Securing OAuth 2.0 with the Backend-For-Frontend pattern Using scopes and permissions in OAuth 2.0 Securing APIs with OAuth 2.0 Demos and practical examples throughout the day Day 2 Advanced use cases for OAuth 2.0 and OpenID Connect Handling delegation scenarios in modern architectures Security best practices for confidential OAuth 2.0 clients Reducing access token authority with Resource Indicators Using sender-constrained tokens with mTLS and DPoP Securing OAuth 2.0 flows with JAR and PAR Advanced attacks and defenses against OAuth 2.0 flows Demos and practical examples throughout the day This workshop is here to give you the skills you need to design architectures using OAuth 2.0 and OpenID Connect, to assess the security of your applications, and to enhance them using the latest best practices. In-depth lectures, real-world demos, fun quizzes, and practical examples will guide you through the complex landscape of OAuth 2.0 and OpenID Connect.

Tito
Philippe De RyckDec 10, 2024

Last week, I taught two 2-day classes. One on frontend security, and one on API security. In my experience, teaching is always insanely intense and really requires an enormous amount of energy. Fortunately, the feedback definitely makes it worth it!

Now two weeks of doing my own research, along with some consulting assignments. And of course, prepping the menu and trying out some dishes for the holidays!

Philippe De RyckNov 28, 2024
Excited to be at the OWASP BeNeLux Days, with the wonderful security community. I will be speaking about Supercharging OAuth security slides here: https://pragmaticwebsecurity.com/talks/superchargingoauthsecurity), and doing a 1-day API security workshop. #appsec #infosec
Breaking and securing OAuth 2.0 in frontends

Discover the underestimated threat of Cross-Site Scripting (XSS) in OAuth 2.0 Single Page Applications. Learn about hacks on frontend OAuth clients and explore solutions like the Backend-for-Frontend pattern, ensuring secure implementations of OAuth 2.0.

Pragmatic Web Security
Philippe De RyckNov 12, 2024

In a couple of weeks, I'm teaching two live online workshops, both consisting of a mix between lectures, demos, quizzes, and hands-on lab sessions:
- Securing Angular apps on Dec 2-3 (https://buff.ly/3uX8Rv1)
- Bulletproof APIs on Dec 5-6 (https://buff.ly/48JQM2Y)

Hope to see you there! #appsec

Angular Security Workshop with Dr De Ryck | ANGULARarchitects

Protect your business-critial Angular applications! Get practical and immediately applicable security advice.

ANGULARarchitects
Philippe De RyckApr 8, 2024

The schedule for SecAppDev 2024 is looking better every day! We have finalized our workshop schedule, with four highly practical hands-on workshops (https://buff.ly/3TSIVZE).

🚨There are a few days left to benefit from a massive early-bird discount, so make sure to grab your ticket by April 11th! And if you're a small company or a freelancer, you get a 50% discount through our community tickets.

So there's really no excuse to not join us at SecAppDev! #appsec #infosec

Workshops at SecAppDev 2024

SecAppDev workshops offer a one-day hands-on deep-dive into application security.

SecAppDev