Security Resources for Web Developers

Are you confident in the security of your web sites? Are you ready to accept payments from customers, and store user passwords in a database, securely? Maybe you are, and that’s great, but if you read on, we’re sure you’ll appreciate these resources.

Learning Security Fundamentals

Google’s Web Fundamentals - Security and Identity

This article on the Google Developers' Web Fundamentals site helps you understand and implement HTTPS and Content Security Policy (CSP). You’ll also learn how to detect whether your site has been hacked and what to do about it.

TryHackMe

TryHackMe provides fun, real-world security training. It’s both theoretical and practical, and we highly recommend it. There’s a track for web fundamentals, which is especially useful for this article. You can find it here. Section 1 teaches you how the web works, section 2 is an introduction to web hacking, section 3 introduces burp suite, and section 4 goes further into web hacking.

SAFECode

SAFECode is a global industry forum where business leaders and technical experts come together to exchange insights and ideas on creating, improving, and promoting scalable and effective software security programs. We believe that secure software development can only be achieved with an organizational commitment to the execution of a holistic assurance process, and that sharing information on that process and the practices it encompasses is the most effective way for software providers to help customers and other stakeholders manage software security risk.

Cybrary

Cybrary’s accessible, affordable platform provides guided pathways, threat-informed training, and certification preparation to fully equip cybersecurity professionals at every stage in their careers to skill up and confidently mitigate threats.

OWASP Juice Shop

Juice Shop is a web application built with modern technologies. A lot of the vulnerabilities are frequently found in real-world apps, which makes Juice Shop so good - it is essentially a real-world app, containing the entire OWASP Top Ten, and more.

OWASP Juice Shop is probably the most modern and sophisticated insecure web application!

Once you install it, you might follow along the videos and CTFs created by HackerOne (a bug bounty platform) to get a feel for things.

Communities and Other Good resources

There are quite a few good communities you can join to ask questions, and gather information as a lurker, such as: Information Security Stack Exchange, Reddit, and various discord communities (you can find them if you search within Google).

OWASP Top 10

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Bookmark this website. Keep it in mind while developing applications, and visit it frequently.

Globally recognized by developers as the first step towards more secure coding.

The Top 10

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery (SSRF)

OWASP Top 10 Proactive Controls

The OWASP Top Ten Proactive Controls describes the most important control and control categories that every architect and developer should absolutely, 100% include in every project.

The Top 10

The OWASP Top Ten Proactive Controls 2018 is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with number 1 being the most important.

1. Define Security Requirements
2. Leverage Security Frameworks and Libraries
3. Secure Database Access
4. Encode and Escape Data
5. Validate All Inputs
6. Implement Digital Identity
7. Enforce Access Controls
8. Protect Data Everywhere
9. Implement Security Logging and Monitoring
10. Handle All Errors and Exceptions

Recommended Books

The Web Application Hacker’s Handbook

We wrote about this book here.

The Web Application Hacker’s Handbook is considered the holy grail of web security books available to date. It will show you ways in which attackers could exploit your applications, enabling you to defend against them.

The Tangled Web

In The Tangled Web, Michal Zalewski, one of the world’s top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they’re fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security.

24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them

24 Deadly Sins of Software Security reveals the most common design and coding errors and explains how to fix each one. It will also teach you how to avoid them from the start.

Full Disclosure: this post contains affiliate links. However, we only recommend books or products (courses) that we have personally read or used. We may receive a (very) small commission if you purchase any of the books or courses from this list (at no additional cost to you).