How to learn application security
Every developer needs to know the basics of application security. Here's how to learn it.
Learning application security isn’t difficult. It’s the same as any other topic. Also, it doesn’t take too long, at least for the basics. There are a few resources that are easy to follow and learn from.
Why developers should learn application security
Every application needs to be secure. Every application can and will be attacked in absolutely any way imaginable, particularly as it becomes more popular. There are probably hundreds of ways to attack an application and no application is exempt.
So, at the very least, you should know about the most severe security vulnerabilities.
Now, if your company has dedicated security specialists, then perhaps you don’t need to know as much. The specialists will be there as a backup to say "hey Bob, please validate form input here and escape it here".
However if the company doesn’t have dedicated security specialists, then it’s purely up to you, the developer, to ensure that the application is secure.
Further, even if the company has security specialists, it’s always better for developers to know about security too. Then, security specialists will be an additional layer of defence rather than the only layer of defence.
Also, if developers defend against the obvious vulnerabilities, it saves everyone a lot of time. Consider: As you’re coding, you ignore a potential XSS vulnerability. After you commit the code, a security specialist will test it for an hour and find it. Then, they’ll ask you to fix it. Next, you’ll need to create a new story, find the vulnerability in the code (because it might have been a few days since you committed it and you might have forgotten where it was), make the fix, put it through code review and then commit it. Then, the security specialist will test it again to make sure it’s not there any more. This whole process is a big waste of time, especially when it would have taken you 5 minutes to plug the vulnerability in the first place.
How much do you need to know about web application security?
It’s important to know at least some of the basics.
More is better. The more senior developers and / or architects in a company would probably be expected to know a lot about it.
However, it may not be necessary to know it all. Just like most other things in programming, if you know what you need to be aware of, then you can always look stuff up when you need to. You can also use security checklists, or even bring in third parties and experts to audit the application and give you more advice.
Resources for learning web application security
Here are the resources I used, in order, to learn web application security as a developer. I found them all very good and I highly recommend them.
Frontend Masters is pretty great. They have some really great courses. The web security course with Mike North is no different.
It’s a really good introduction to web security for front end developers. It tackles some very important issues. Also, it’s only a few hours long, so it won’t take very long to complete.
I would only suggest skipping this course if you don’t do front end web development at all.
This article is awesome. It’s quite long and may take anywhere from under an hour to a couple of hours to read.
It teaches the most pressing security issues for web development in general, for both front end and back end. I highly recommend it for everyone.
Also, unless you want to learn web application security quite well, or there is something specific you still want to learn, I think that stopping here is acceptable.
This next one is a lot of work, but if you really want to learn a ton about web application security, go to this page and read through the cheatsheets.
You can skip the ones that aren’t relevant to you. You can also skim read whatever you want. You can also just pick one or two and read through them in detail. Anything you read will be useful.
If you’re not sure which ones to read, it might be best to prioritise the ones related to the OWASP top 10.
But overall, this series has probably everything that you would ever need to know about web application security as a developer. Anything else is probably best left to security specialists to audit and tell you about.
Finally, read this page on Security by design principles to understand some of the main principles behind security.
4. References for more details.
The previous resources are more than enough for understanding security concepts. However, in the end, web application security is implemented with code. Therefore, sometimes you may need to research some implementation details from a developer’s perspective. For example, even though the above resources explain what to avoid with cookies and what properties to set on them, you may still need to learn how they work and how to actually work with them with code.
Here are some resources to help you do that, if you need any of those implementation details:
What to do next
Well, I don’t actually have personal experience on how to proceed any further. If anyone in the comments wants to chip in then please go ahead.
However I imagine some of the next steps might be:
- Reading more articles from OWASP.
- Learning about monitoring and alerting tools (such as Splunk), vulnerability scanners (such as Arachni), etc.
- Learning some DevOps, particularly about configuring servers and firewalls.
- Learning some basic penetration testing (search "pentesting challenges and labs") or even moving towards official cyber security (a wider field than just application security) and penetration testing certifications.
That’s all I’ve got. Please comment if you have any comments or suggestions, particularly if you want to share any more resources that you think would be useful for beginners.
Suggestions from the comments
This post picked up quite a bit of traction over at dev.to. Many people suggested some additional learning resources. Please go there and see the comments if you’re interested. The suggestions seem quite good.
Specialising in front end development. I love programming and strive to be the best developer I can be.