If you’re a web developer and are thinking about web security, you have already taken the first step towards learning to write safer code. Security has been completely isolated from the development process for a really long time, which is why many developers find it intimidating. Here’s a couple of pointers to get you started:
- Never trust user input. Always sanitize and validate user input. This also applies to serialized objects - treating deserialized data as trusted input is a very common security mistake.
- Use whitelisting rather than blacklisting. If you blacklist, you need to consider all possible invalid options and if you miss something, you could expose your web application to hackers. This is why it’s much better to simply whitelist what is valid.
- Familiarize yourself with OWASP Top 10 which is a list of the most common vulnerabilities that shows you what you should look out for when you’re writing code. The most recent version of the Top 10 list was released in November 2017 and understanding all 10 listed vulnerability categories will help you get a basic grasp of security.
Be careful when using third party scripts. Third party scripts allow you to add functionality to your site without having to write something from scratch yourself, but they also bring risks. Third party scripts can be just as vulnerable as your own code, especially if the resource is loaded from an external source.
Stay up to date. Security never stands still. Not that long ago, quarterly or even annual penetration tests were what companies did to stay safe. This is no longer enough as security develops so quickly that new vulnerabilities emerge every day. What is secure today might be vulnerable tomorrow. Developers need to be on their toes all the time, ready to learn new remediation methods and understand new vulnerabilities. The netsec community on reddit is a great place to follow the latest developments in web security. It might seem complicated at first, but as you read more write-ups, you’ll get used to thinking about security and considering it from the first line of code.
Use automated monitoring. It’s impossible to manually detect every single vulnerability on your website. Automated vulnerability scanners like Detectify can help you identify security issues and see exactly where your site is vulnerable. You can then quickly remediate the vulnerabilities and improve your website’s security. And don't forget to choose a secure web hosting service provider.