English Portuguese

Security for building modern web apps

This article is inspired in this post, a great article about things to know before building a web app nowadays. Isn't a very long list, but several security recommendations were left out, so I'm moving my ass and sharing the knowledge.

The focus of this article is for developers from startups who want to develop a web application from scratch, don't know much information security and don't want spend much time to add security to their applications either. That said, some important activities will not be discussed here such as threat modeling, continuous delivery security, etc. The goal here is not to replace existing code security checklists (e.g., OWASP, SANS), but complement them with modern advices. After all, security concepts are in general very old, (e.g. security design principles were defined in 70s), and are present today and will be present in the future, but there is a need to adapt to our reality.

Note: Although lists and articles like these are helpful, security is a process that must be very close to the development process, since the beginning. Always consider an application security professional to help you out.

Client

Server

Others [Non-exclusive about security]

Where to go from here?

There's a plethora of information out there, just search for it. OWASP and SANS will help you a lot. They have many projects, articles, checklists and tools. I also recommend keeping an eye on security advisories from your tools and vendors. Besides all of this, always follow the Reddit channel /r/netsec.

You can now follow my next post: Security for later stage web apps.

Credits: Collin Greene for the 'generic error messages' topic; Reddit user _tpyo for 'UUID note'; Reddit user oauth_gateau for pointing the Blackhat paper regarding CSRF;*


Share the knowledge :)

Share on Twitter Share on Facebook Share on Google Plus Share on LinkedIn Share on Hacker News