TLDR; What are your favorite resources for how to build a secure webapp?<p>I've been looking to learn how to secure web apps more systematically. Just thinngs that (should be) well-understood by now--logins, customer data security, how to take payments with or without storing credit card info (even if that's just using a third-party processor). I've found the OWASP site, which seems poorly maintained and terribly organized, and a bunch of books that focus on how to pentest existing apps. The books that focus systematically on security, like Security Engineering, are extremely general and don't explicitly cover the webapp use case.
OWASP is good especially the top 10:<p><a href="https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project" rel="nofollow">https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...</a><p>Troy Hunt has some good advice on his blog and a site for checking for issues:<p><a href="http://www.troyhunt.com/" rel="nofollow">http://www.troyhunt.com/</a><p><a href="https://asafaweb.com/" rel="nofollow">https://asafaweb.com/</a>
The Web App Hacker's Handbook is the gold standard for web security books.<p>The Tangled Web is a good primer on browser security, which is a deeper topic.<p>The OWASP Top 10 is worth knowing because it's a widely recognized metric, but OWASP itself is not an especially great resource.
There is a good list in an answer on Stack Exchange about this, maybe you can find something there - <a href="http://programmers.stackexchange.com/questions/46716/what-technical-details-should-a-programmer-of-a-web-application-consider-before" rel="nofollow">http://programmers.stackexchange.com/questions/46716/what-te...</a>
We have a curated list here, which has all you want to know and then some:<p><a href="https://github.com/paragonie/awesome-appsec" rel="nofollow">https://github.com/paragonie/awesome-appsec</a><p>Our blog also have a bunch of posts about building secure web applications in PHP:<p><a href="https://paragonie.com/blog/category/security-engineering" rel="nofollow">https://paragonie.com/blog/category/security-engineering</a><p>I hope either one helps.
It's easy to tunnel-vision into the security of your own code and forget that everything you depend on must also be secure. This could span from your framework's cookie signing to the version of OpenSSL you're using on the server to the access controls of your VPS.<p>Unattended upgrades are a good start for your OS-managed dependencies, but make sure to keep up with your app-managed dependencies. You could setup a continuous-integration thing that runs your tests against the latest minor versions of all of your dependencies and upgrades when deemed safe, though you need excellent test coverage to get away with it.<p>Anyone know of great resources for managing your deployments and dependencies? Something other than "here's how we use docker."<p>Related plug: There is <a href="https://appcanary.com/" rel="nofollow">https://appcanary.com/</a> which is a dependency vulnerability alerting service (disclaimer: I'm friends with the founders, swell folks who genuinely care about improving the safety of code everywhere). Many vulnerability databases are public, but keeping track of things—especially across platforms and database providers—is really painful.
Skimmed the responses, and I don't think anyone has said this, so...<p>Write a web app. Find the least friendly, most bare bones server in whatever your favorite language is (sinatra, flask, gin-gonic). Write as much of the MVC stuff as you can yourself. You will unintentionally implement at least one of the OWASP top 10 bugs. Maybe try to intentionally implement as many of them as you can.<p>So far the most educational coding I've done is writing a web proxy and a web router. Pentesting forced me to look at most parts of an HTTP request... rewriting headers, implementing session stores and (trying to) handle SSL has all been painfully educational.
The top 10 is way too high level to be of any use, but the cheatsheets are actually not bad:
<a href="https://www.owasp.org/index.php/XSS_Prevention_Cheatsheet" rel="nofollow">https://www.owasp.org/index.php/XSS_Prevention_Cheatsheet</a> (end of the page)
I think as a bare minimum, you should choose a web application that has a well documented guide covering security and make sure you read it and understand it. Django and rails both have well organized documentation around this topic. Most of the attacks are relevant to any web app, but how you deal with it is framework specific:<p><a href="https://docs.djangoproject.com/en/1.8/topics/security/" rel="nofollow">https://docs.djangoproject.com/en/1.8/topics/security/</a><p><a href="http://guides.rubyonrails.org/security.html" rel="nofollow">http://guides.rubyonrails.org/security.html</a>
If you're using django, there's a chapter in the Two-scoops of django 1.6 book that covers django security. Have you looked into framework specific resources? If you're using one of the big ones, this may be the most practical place to start.<p>Nikto, and other free web app vulnerability scanners can be good for both learning and practical use in the real world (albeit not much more useful than low-hanging fruit). <a href="http://sectools.org/tag/web-scanners/" rel="nofollow">http://sectools.org/tag/web-scanners/</a>
SANS is a good resource for training material about security. They have a number of courses for "defenders" and "builders" including web security (e.g., DEV522: Defending Web Applications Security Essentials: <a href="https://www.sans.org/ondemand/course/defending-web-applications-security-essentials" rel="nofollow">https://www.sans.org/ondemand/course/defending-web-applicati...</a> ). It's not free though :-)<p>Check out the AppSec conference videos (<a href="https://www.owasp.org/index.php/Category:OWASP_Video" rel="nofollow">https://www.owasp.org/index.php/Category:OWASP_Video</a>). You can find useful talks for "defenders" and "builders" there. For example, one of the first videos on their Vimeo channel (<a href="https://vimeo.com/appsecusa" rel="nofollow">https://vimeo.com/appsecusa</a>) is a talk by Douglas Crockford about securing JavaScript.<p>One of the biggest problems with the security information out there is that it's mostly geared towards "breakers" (and to a lesser degree "defenders"), but to change the state of security we need more (quality) information for "builders", so they can build more secure apps...<p>By the way, if you are a web app builder and you care about security learn and use CSP (Content Security Policy). CSP is one of the most effective ways to deal with the XSS attacks. Here's a place to get started: <a href="https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy" rel="nofollow">https://developer.mozilla.org/en-US/docs/Web/Security/CSP/In...</a>
<i>The Art of Software Security Assessment</i> is a gold standard in infosec that goes well beyond simply web applications, but it does cover those, as well.<p>Definitely read that to get a holistic image.
I noticed the same, but then i found the Steve Gibson Security Now podcast <a href="https://www.grc.com/securitynow.htm" rel="nofollow">https://www.grc.com/securitynow.htm</a><p>The episode archive has a whole course on security,with a focus on the web
Webapp security is important, but server security is in my opinion the most difficult thing to get right, ie how to configure a server properly in the era of apps pushed directly on VPS , IAAS , containers and co . Any resources about the matter appreciated.
I feel a huge part of this is "culture".<p>If a junior developer logs an issue stating "I'm concerned that this function could lead to SQL injection", what is the reaction?<p>In most companies I've seen, the answer is a senior developer saying either "show me an exploit or accept that you're wrong". If the attitude was instead to say "I disagree about exploitability, but the fact there's a question there is a code smell regardless so send a PR", a lot of vulnerabilities would go away.
I'm not a security expert at all, but I was wondering if Google Gruyere[0] was a worthwhile resource/training exercise...<p>[0] <a href="https://google-gruyere.appspot.com/" rel="nofollow">https://google-gruyere.appspot.com/</a>
Maybe, if you can allow it and you care enough for security , the best thing is to use a framework designed for security like Scala lift.<p>That way, everything is built in.
The OWASP Development Guide 2.0.1 is from 2005, but it's still relevant: <a href="https://www.owasp.org/index.php/Projects/OWASP_Development_Guide/Releases/Guide_2.0" rel="nofollow">https://www.owasp.org/index.php/Projects/OWASP_Development_G...</a>