How to learn web application security

The original and latest version of this post (how to learn web application security) can be found at Programming Duck.

Learning web application security doesn't have to be painful. In fact, I think it's the same as any other topic, and it doesn't even take that long. There are a few resources that are easy to follow and learn from, especially if you're only looking to learn web security basics.

Why should developers learn about web application security?

Every application needs to be secure, because every application can and will be attacked in absolutely any way imaginable, particularly as it becomes more popular. There are probably hundreds of ways to attack an application and absolutely anything can be attacked.

So at least knowing how to avoid the most severe security vulnerabilities is essential.

Now, if the company has dedicated security specialists, then perhaps the developers don't need to know as much. The specialists will be there as backup to say "hey, we need to validate form input here and escape it here".

However if the company doesn't have dedicated security specialists, then it's purely up to us, the developers, to make sure the application is secure. Regardless, even with security specialists, it's always better for the developers to know security as well. That way we can defend against the most important security vulnerabilities ourselves. Then, security specialists can act as reinforcement rather than our only layer of defence.

How much do we need to know about web application security?

It's important to know at least some of the basics.

More is better, and the more senior developers and / or architects in a company would probably be expected to know a lot about it.

However, it may not be necessary to know it all. Just like most other things in programming, if we know what we need to be aware of, then we can always look stuff up when we need to. We can also use security checklists, or even bring in third parties and experts to audit our application and give us more instructions.

Resources for learning web application security

Here are the resources I used, in order, to learn web application security as a developer. I found them all very good and I highly recommend them.

1. Frontend Masters - Web security with Mike North.

I love Frontend Masters. I find their courses to be the best introductions to topics. The web security course with Mike North is no different.

It's a really good introduction to web security for front end developers. It tackles very important issues. I would only suggest skipping this course if you don't do front end web development at all.

It's only a few hours long, so it won't take very long to complete.

2. The basics of web application security by Martin Fowler.

This article is awesome. It's fairly long and may take anywhere from under an hour to a couple of hours to read.

It teaches the most pressing security issues for web development in general, for both front end and back end. I highly recommend it for everyone.

Also, unless you want to learn web application security quite well, or there is something specific you still want to learn, I think stopping here is alright.

3. OWASP cheatsheet series.

This next one is a lot of work, but if you really want to learn a ton about web application security, go to this page and read through the cheatsheets.

You can skip the ones that aren't relevant to you. You can also skim read what you want. And you can also just pick one or two and read through them. Anything you read will be useful knowledge. If you're not sure which ones to read, it might be best to prioritise the ones related to the OWASP top 10.

But overall, this series has probably everything that you would ever need to know about web application security. Anything else is probably best left to security specialists to audit and tell you about.

Also read this page on Security by design principles to understand some of the main principles behind security.

4. References for more details.

The previous resources are more than enough, but if you want any additional details on certain things you can check out:

• MDN web security
• Google developers web fundamentals - Security
• MDN HTTP

For example if you wanted to know more about cookies, how they work, and their settings, you can check out the MDN cookies page.

Or if you wanted more details about CSP (content security policy), you could check out the CSP page on google developers or the CSP page on MDN.

What to do next

Well, I don't actually have personal experience on how to proceed any further. If anyone in the comments wants to chip in then please go ahead.

However I imagine some of the next steps might be:

• Reading more articles from OWASP.
• Learning about monitoring and alerting tools (such as Splunk), vulnerability scanners (such as Arachni), etc.
• Learning some DevOps. Particularly configuring servers and firewalls.
• Learning some basic penetration testing (search "pentesting challenges and labs") or even moving towards official cyber security (a wider field than just application security) and penetration testing certifications.

That's all I've got. Please comment if you have any comments or suggestions, particularly if you want to share any more resources that you think would be useful for beginners.

Comments

[NW]

Can you list some SAST tools ??

[Spyros Argalias]

I've only used things like TypeScript, ESLint and SonarQube. Other suggestions are welcome.

[Tolga Ünlü]

Thank you for this post, it was a good read! :)

One activity which I found useful with developers who are new to web security is to demonstrate them the use of interception proxies like OWASP ZAP or Burp Suite. It can be eye-opening when they realize that any part of a HTTP request can be modified and hence why thorough input validation is important.

[Spyros Argalias]

Thanks, sounds like a good tip for showing the consequences in a practical way. Nice.

[Ognyan Dimitrov]

I humbly suggest an addition - following Troy Hunt`s posts and courses.

[Spyros Argalias]

Thanks!

[Cedric Chee]

First of all, thank you for the post.

I prefer to learn by reading books and I've been recommended:

• The Web Application Hacker's Handbook (WAHH). They say this is widely considered the Bible of penetration testing for web apps. Web Security Academy (WSA) has been mentioned in the comments. WSA is an interactive version of WAHH book.
• The one book that everybody recommends is The Tangled Web. Matasano gave this book to their candidates. According to Thomas Ptacek, "it's probably the best all-around browser security book, but it's not the best application security book, since it spends much more time on browsers and browser technology than it does on the server-side issues (like SQL databases and authorization systems) that dominate web appsec."

Disclaimer: I'm not a web app security expert. Just a software engineer learning the fundamentals of web appsec.

[Spyros Argalias]

Thanks!

[atan]

Thank you so much for clarifying what I believe to be a huge misconception or belief among developers. I've audited countless applications with simple XSS vulnerabilities that are left not out of ignorance but simply due to belief that it's the security auditor and penetration tester's "job" to fix these mistakes. Security is the responsibility of ALL parties. From the Security Team, to the Full stack of development and all those involved in the SDLC, it's a group effort to maintain and protect.

[Spyros Argalias]

Completely agree :)

[Ari Kalfus]

Don't forget Portswigger's Web Security Academy! (free)
portswigger.net/web-security

[Spyros Argalias]

Thanks for the suggestion

[Serhii]

One more resource: CS253 Stanford Web Security course

[Spyros Argalias]

Thanks for the suggestion!