The original and latest version of this post (how to learn web application security) can be found at Programming Duck.
Learning web application se...
For further actions, you may consider blocking this person and/or reporting abuse
Thank you for this post, it was a good read! :)
One activity which I found useful with developers who are new to web security is to demonstrate them the use of interception proxies like OWASP ZAP or Burp Suite. It can be eye-opening when they realize that any part of a HTTP request can be modified and hence why thorough input validation is important.
Thanks, sounds like a good tip for showing the consequences in a practical way. Nice.
One more resource: CS253 Stanford Web Security course
Thanks for the suggestion!
First of all, thank you for the post.
I prefer to learn by reading books and I've been recommended:
Disclaimer: I'm not a web app security expert. Just a software engineer learning the fundamentals of web appsec.
Thanks!
Thank you so much for clarifying what I believe to be a huge misconception or belief among developers. I've audited countless applications with simple XSS vulnerabilities that are left not out of ignorance but simply due to belief that it's the security auditor and penetration tester's "job" to fix these mistakes. Security is the responsibility of ALL parties. From the Security Team, to the Full stack of development and all those involved in the SDLC, it's a group effort to maintain and protect.
Completely agree :)
Don't forget Portswigger's Web Security Academy! (free)
portswigger.net/web-security
Thanks for the suggestion
I humbly suggest an addition - following Troy Hunt`s posts and courses.
Thanks!
Can you list some SAST tools ??
I've only used things like TypeScript, ESLint and SonarQube. Other suggestions are welcome.