Defense-in-depth engineering

The 2021 OWASP Top Ten introduced a category “Insecure Design” to focus on risks related to design flaws. In this talk, we will focus on techniques we can use to build defense-in-depth software. What can we do to proactively architect software to be more resilient to attacks? What type of findings may not be discovered via automated static analysis? How can we design our software to be more friendly during incident response scenarios? Throughout this talk, we will focus on identifying often-overlooked architectural anti-patterns and vulnerabilities to be on the lookout for. We will source code to analyze patterns for improvement in both real-world applications as well as intentionally vulnerable applications. Engineers will leave this talk with a solid understanding of defense-in-depth software architecture and design. Security engineers or consultants can expect to leave with an increased understanding of insecure design patterns and vulnerabilities.



John Poulin


John Poulin is an experienced Application Security Practitioner with over 10 years of experience in software development and security. Over his tenure, John has worked with many Fortune 500 companies