Security Resources for Web Developers
Are you confident in the security of your web sites? Are you ready to accept payments from customers, and store user passwords in a database, securely? Maybe you are, and that’s great, but if you read on, we’re sure you’ll appreciate these resources.
Learning Security Fundamentals
Google’s Web Fundamentals - Security and Identity
This article on the Google Developers' Web Fundamentals site helps you understand and implement HTTPS and Content Security Policy (CSP). You’ll also learn how to detect whether your site has been hacked and what to do about it.
TryHackMe
TryHackMe provides fun, real-world security training. It’s both theoretical and practical, and we highly recommend it. There’s a track for web fundamentals, which is especially useful for this article. You can find it here. Section 1 teaches you how the web works, section 2 is an introduction to web hacking, section 3 introduces burp suite, and section 4 goes further into web hacking.
SAFECode
SAFECode is a global industry forum where business leaders and technical experts come together to exchange insights and ideas on creating, improving, and promoting scalable and effective software security programs. We believe that secure software development can only be achieved with an organizational commitment to the execution of a holistic assurance process, and that sharing information on that process and the practices it encompasses is the most effective way for software providers to help customers and other stakeholders manage software security risk.
Cybrary
Cybrary’s accessible, affordable platform provides guided pathways, threat-informed training, and certification preparation to fully equip cybersecurity professionals at every stage in their careers to skill up and confidently mitigate threats.
OWASP Juice Shop
Juice Shop is a web application built with modern technologies. A lot of the vulnerabilities are frequently found in real-world apps, which makes Juice Shop so good - it is essentially a real-world app, containing the entire OWASP Top Ten, and more.
OWASP Juice Shop is probably the most modern and sophisticated insecure web application!
Once you install it, you might follow along the videos and CTFs created by HackerOne (a bug bounty platform) to get a feel for things.
Communities and Other Good resources
There are quite a few good communities you can join to ask questions, and gather information as a lurker, such as: Information Security Stack Exchange, Reddit, and various discord communities (you can find them if you search within Google).
OWASP Top 10
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Bookmark this website. Keep it in mind while developing applications, and visit it frequently.
Globally recognized by developers as the first step towards more secure coding.
The Top 10
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery (SSRF)
OWASP Top 10 Proactive Controls
The OWASP Top Ten Proactive Controls describes the most important control and control categories that every architect and developer should absolutely, 100% include in every project.
The Top 10
The OWASP Top Ten Proactive Controls 2018 is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with number 1 being the most important.
- Define Security Requirements
- Leverage Security Frameworks and Libraries
- Secure Database Access
- Encode and Escape Data
- Validate All Inputs
- Implement Digital Identity
- Enforce Access Controls
- Protect Data Everywhere
- Implement Security Logging and Monitoring
- Handle All Errors and Exceptions
Recommended Books
The Web Application Hacker’s Handbook
We wrote about this book here.
The Web Application Hacker’s Handbook is considered the holy grail of web security books available to date. It will show you ways in which attackers could exploit your applications, enabling you to defend against them.
The Tangled Web
In The Tangled Web, Michal Zalewski, one of the world’s top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they’re fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security.
24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them
24 Deadly Sins of Software Security reveals the most common design and coding errors and explains how to fix each one. It will also teach you how to avoid them from the start.
Full Disclosure: this post contains affiliate links. However, we only recommend books or products (courses) that we have personally read or used. We may receive a (very) small commission if you purchase any of the books or courses from this list (at no additional cost to you).
Related Posts
Finding Free and Discounted Programming Books
As an avid reader, I’m always looking for places to find my next book. If they’re free, even better. Although it’s not always so easy finding them, there are plenty available online.
Read moreGetting Started with Google Cloud
In this article, we’re going to be taking a first look at Google Cloud, a leading player in the world of cloud computing, offers services and tools designed to drive innovation and ease operations.
Read moreThe Great JavaScript Debate: To Semicolon or Not?
Since I’ve started learning this language, JavaScript has undergone some heavy changes. Most notably, it seems to be the norm to not use semicolons anymore.
Read more