DEV Community

Cover image for How to learn web application security

How to learn web application security

Spyros Argalias on April 12, 2020

The original and latest version of this post (how to learn web application security) can be found at Programming Duck. Learning web application se...
Collapse
 
tolgadevsec profile image
Tolga Ünlü

Thank you for this post, it was a good read! :)

One activity which I found useful with developers who are new to web security is to demonstrate them the use of interception proxies like OWASP ZAP or Burp Suite. It can be eye-opening when they realize that any part of a HTTP request can be modified and hence why thorough input validation is important.

Collapse
 
sargalias profile image
Spyros Argalias

Thanks, sounds like a good tip for showing the consequences in a practical way. Nice.

Collapse
 
sergchr profile image
Serhii
Collapse
 
sargalias profile image
Spyros Argalias

Thanks for the suggestion!

Collapse
 
cedrickchee profile image
Cedric Chee

First of all, thank you for the post.

I prefer to learn by reading books and I've been recommended:

  • The Web Application Hacker's Handbook (WAHH). They say this is widely considered the Bible of penetration testing for web apps. Web Security Academy (WSA) has been mentioned in the comments. WSA is an interactive version of WAHH book.
  • The one book that everybody recommends is The Tangled Web. Matasano gave this book to their candidates. According to Thomas Ptacek, "it's probably the best all-around browser security book, but it's not the best application security book, since it spends much more time on browsers and browser technology than it does on the server-side issues (like SQL databases and authorization systems) that dominate web appsec."

Disclaimer: I'm not a web app security expert. Just a software engineer learning the fundamentals of web appsec.

Collapse
 
sargalias profile image
Spyros Argalias

Thanks!

Collapse
 
atan profile image
atan

Thank you so much for clarifying what I believe to be a huge misconception or belief among developers. I've audited countless applications with simple XSS vulnerabilities that are left not out of ignorance but simply due to belief that it's the security auditor and penetration tester's "job" to fix these mistakes. Security is the responsibility of ALL parties. From the Security Team, to the Full stack of development and all those involved in the SDLC, it's a group effort to maintain and protect.

Collapse
 
sargalias profile image
Spyros Argalias

Completely agree :)

Collapse
 
artis3n profile image
Ari Kalfus

Don't forget Portswigger's Web Security Academy! (free)
portswigger.net/web-security

Collapse
 
sargalias profile image
Spyros Argalias

Thanks for the suggestion

Collapse
 
ognyandim profile image
Ognyan Dimitrov • Edited

I humbly suggest an addition - following Troy Hunt`s posts and courses.

Collapse
 
sargalias profile image
Spyros Argalias

Thanks!

Collapse
 
narutowindy profile image
NW

Can you list some SAST tools ??

Collapse
 
sargalias profile image
Spyros Argalias

I've only used things like TypeScript, ESLint and SonarQube. Other suggestions are welcome.