Presentation: Modern Web Security, Lazy but Mindful Like a Fox


5:25pm - 6:15pm



The war between web application attackers and defenders have never ended. In reality, it is getting more and more severe. Looking at the tremendous ways of defending web applications, why attackers are still winning?

"Not knowing your enemy, a victory will always follow with another loss."

Real world attackers and bug bounty hunters are extremely capable nowadays. I'll go through some of the most interesting ones. You will probably be surprised with the determination and innovations that the attackers have to make the attacks work.

"To win without jeopardy, be familiar with yourself and your enemy."

I will explore some common ways of defending. Some are ugly and bad fixes. Why some of those are not usable at large. Why some solutions are overkilling. And what the misconceptions are. Looking through the attacker's lens, I will present a few viable, usable and effective defensive techniques that developers have often overlooked.

Speaker: Albert Yu

Principal Security Engineer @Atlassian

Albert Yu is currently working as a principal engineer for the Trust Engineering team in Atlassian. Prior to Atlassian, he was a security architect in Yahoo Paranoid team. He has spent 15 years exposing himself to many different aspects of a security program, including security engineering, R&D, product reviews, code review, penetration test, governance and compliance, risk management, incident response, in large scale environment. He's the primary designer for Gryffin, a large-scale web security scanning platform, and drove the open sourcing of it. Albert received his Ph.D. (part-time) in the year 2012 from University of Hong Kong, with a research focus on cryptographic protocols. He was best known for finding internal security bugs that are hard to fix for those who worked with him.

Find Albert Yu at



Monday Nov 7

Tuesday Nov 8

Wednesday Nov 9

Conference for Professional Software Developers