Tech Talk - Intro to Security for Developers


Are you overwhelmed or intimidated by application security? Do you want to protect the security and privacy of your application's users but don't know where to start? Are you worried that your servers will get hacked one day?

This tech talk will demystify information security ("infosec") for developers, using hands on code samples written in Node.js. You will not only work with live demos of insecure applications, but will also learn how to defend against attacks and write secure code.

Topics include:

• an overview of common security terms like devsecops, red team vs. blue team, and responsible disclosure

• guidance for locking down your laptop, mobile phones, and online accounts

• how to securely use developer tools like GitHub, Travis CI, and npm

• how to configure SSL/TLS when developing applications locally

• the different types of Cross-Site Scripting (XSS) attacks and how to mitigate them

• how to salt and hash passwords and securely use cookies in your application

• how to prevent information disclosure within your applications

• how to implement rate limiting to protect against brute force attacks

• how to configure common security headers, including HSTS (HTTP Strict Transport Security), Content Security Policy (CSP) and HPKP (HTTP Public Key Pinning)

Live code samples are available at

Slides are also available at

Wanna better secure your laptop, mobile phone, and online accounts? Check out this personal security checklist:


Alex Ulsh ( is an Information Security Engineer at Mapbox ( and the Director of Operations for Women Who Code DC. At Mapbox, she works on everything from running their bug bounty program on HackerOne (, to locking down their AWS infrastructure, to making sure every team member knows how to use their password manager.