The focus on security has never been more important than in the current times. In the IT world, it gains more relevance every day. But ensuring security is not just about system administrators. It must also be a developer's skill, especially if they are web developers.
Auth0 brings you a free ebook about security and web development. Learn more about it and why you should care about web development security.
The Web as a Development Platform
Today's Web is not the Web of the early '90s when it was invented. Originally, it was created primarily as a content management system, that is, a platform for sharing and linking static documents. The HTTP protocol and HTML language were sufficient to achieve these basic goals, and security concerns were mostly limited to controlling access to confidential documents.
The demand for interactivity led to the introduction of JavaScript and dynamic page generation technologies, both on the client and on the server sides. That has completely changed the primary use of the Web. It has evolved from a simple way to share and link documents to the backbone of the software and human connection. The old content management system platform has switched to become a development platform.
This paradigm change has brought benefits but also pitfalls. And it also brought a slew of new challenges, the most pressing of which is security.
Web Applications and Security
Web application security refers to the measures taken to protect a website or web application from external attacks that could result in data loss, denial of service, or privacy violation, among other things. When you deploy a web application, it can be accessed by anyone. You can't make any assumptions about who will access it: authorized or unauthorized users, humans, or bots. By default, you should assume that your application is exposed to any security risk. But what are security risks?
Three key concepts should be clear to you when analyzing your application security:
- Threats are incidents that can potentially harm your application. Think of them as external processes that your application must defend against.
- Vulnerabilities are weaknesses in your application that attackers can exploit. They can depend on design flaws or bugs, not just in your code, but also in its dependencies. Deficiencies can also exist at the infrastructure level, such as insecure protocols or network issues.
- Risks are the potential damage your application can suffer when a threat exploits a vulnerability. You can think of risks as the intersection of threats and vulnerabilities.
Understanding these concepts is fundamental for protecting your applications against attackers.
“Know your enemy and know yourself, find naught in fear for 100 battles. Know yourself but not your enemy, find level of loss and victory. Know not thy enemy nor yourself, wallow in defeat every time”
– Sun Tzu
Consider threats as your enemy’s weapons and vulnerabilities as your weakness. You need to know both to face the battle and make decisions with a calculated risk. In other words, learning how security attacks work is the first pass to avoiding them.
Common Web Application Threats
It is not possible to make a complete list of potential threats to which a web application is exposed. The constantly-shifting state of web security means that there are too many variables at play. However, there are well-known threats that you should be aware of. The Open Web Application Security Project (OWASP), the online community devoted to spreading knowledge and awareness about web security, tracks the most common security risks for web applications in its OWASP Top Ten. This document intends to create security awareness in the developer audience by detailing the ten most critical security risks. It represents an excellent first step towards creating a security culture in the developers’ community. Hopefully, this first step may push developers for the adoption of a security by design mindset, i.e., an approach that makes you think of security at each step of your application development.
Try out the most powerful authentication platform for free.
Get started →Security for Web Developers
In this path toward security awareness, Auth0 wants to contribute with a free ebook dedicated to security for web development: "Security for Web Developers".
As we said, to protect your web applications from security risks, you need to know how threats work to understand your application's vulnerabilities. Each chapter of this book is dedicated to one threat and provides you with working examples of vulnerable applications. Using these examples, you’ll learn the “behind the scenes” details of each threat and how to remediate the application’s vulnerability.
For example, you will learn how Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Clickjacking attacks work in practice and how you can prevent them. But it's not all about reading. You can also download and get your hands on the code explained in the book. So, what are you waiting for? Download your free copy and leave your feedback in the comments!
Learn web security through a hands-on exploration of some of the most notorious threats.
Download the free ebookAbout the author
Andrea Chiarelli
Principal Developer Advocate
I have over 20 years of experience as a software engineer and technical author. Throughout my career, I've used several programming languages and technologies for the projects I was involved in, ranging from C# to JavaScript, ASP.NET to Node.js, Angular to React, SOAP to REST APIs, etc.
In the last few years, I've been focusing on simplifying the developer experience with Identity and related topics, especially in the .NET ecosystem.