Developing secure web applications has become critical due to the handling of sensitive customer data that is part and parcel of their operations. In today’s digital era, web applications serve a wide range of functions, facilitating online banking, enabling e-commerce transactions, and facilitating communications – all of which involve the processing of confidential data.
If security isn’t built in from the ground up, and instead, tacked on as an afterthought, the repercussions can be dire, including ransomware, identity theft, financial fraud, and immeasurable damage to the company’s reputation.
This is particularly true in today’s stringent regulatory environment, where all industries are bound by compliance rules and regulations aimed at safeguarding customer data and privacy. By ensuring web applications are secure by design, these regulations can be adhered to, and substantial penalties avoided.
A surge in web application attacks
Moreover, recent research shines the spotlight on an alarming surge in the number of web application attacks. For example, CDNetworks revealed a 12.56% upswing in web application attacks in comparison to the previous year, translating to a daily average of 62.8875 million attacks. Compounding the problem the Ponemon Institute added that the average cost of a data breach in the US alone is a staggering $8.19 million.
These statistics show that cyber-attacks on web applications are a serious threat that can have significant financial and reputational consequences.
With this in mind, Barcelona Code School, together with itrainsec, will be holding a new course called ‘Cybersecurity for Web Developers’, aimed at arming developers with the right tools to build applications securely. During the course, attendees will learn how to handle sensitive data, how to strengthen authentication systems, how to protect databases and server from malicious attempts, and how to prevent the majority of common hacking attacks. Armed with these cybersecurity skills, delegates will be able not only to build web apps but safeguard them from penetration attacks, significantly increasing their value as developers.
The eternal homework
Martin Vigo, a security expert, researcher, and educator, will be conducting the training. He describes security as the eternal homework that is usually left at the end, which is not a good practice. “Not involving the security team during the early stages of the development lifecycle wastes resources and time, as security engineers are forced to request huge changes. These changes may impact architecture and permissions models to address vulnerabilities, changes that can be avoided from the beginning. The sooner security-related issues can be detected, the easier it is to solve the problem. Otherwise, one ends up with “money patches” and half-baked solutions that will just add to your tech debt.”
When asked about the most common vulnerabilities found in Web apps, Martin Vigo says: “In a nutshell, the most common vulnerabilities in Web applications are a mix of exploiting browser-specific “quirks” and weaknesses related to the authorisation model. In other words, as an attacker, one is able to take actions that one is not entitled to. The impact can vary from defacing a website to account takeovers or even full server compromise. When it comes to mitigations, it can be a cat-and-mouse game. Standards may get updated to address a specific vulnerability, browsers may implement new mitigations and developers may take advantage of new features in modern programming languages to reduce the impact in case of exploitation.”
It is Martin Vigo’s opinion that every developer should learn secure coding and best practices at the very least. “My background is actually software engineering, I’ve had the chance to work with very talented peers in that field. When I made the transition to cybersecurity, I realised that even the best engineers around me would be introducing vulnerabilities from time to time without realising it. That is expected since it’s common to be both a stellar software engineer and a great security engineer. That is why I started training developers to focus on the most common vulnerabilities that I used to introduce as well. The industry is in agreement on the most common vulnerabilities on Websites and mobile apps. The first step to avoiding creating security issues in software is to understand the technicalities of all the existing vulnerabilities, how they can be found, and of course, how to mitigate them.”
The least privilege model
When asked how to approach secure authentication and authorisation in web development projects, Martin Vigo says currently, multiple frameworks and libraries exist for the most popular programming languages to address secure authentication and authorisation.
The use of these libraries is encouraged and they tend to be open-source and peer-reviewed by professionals in the industry, Martin Vigo explains. “It’s difficult to give a short answer when it comes to such a big topic, but the rule of thumb is to follow the least-privilege model approach in which you grant the bare minimum permissions needed to the users. This seems straightforward but it is one of the most common issues found in websites.”
He says ensuring data privacy and protection of sensitive information in web applications involves a combination of keeping the database secure and having a robust website that can not be exploited. In addition, it is important to follow best practices and recommendations that even public institutions tend to publish in guides for developers as data protection goes hand in hand with the law. “As we’ve mentioned, companies can incur hefty fines if they do not protect their customer's data properly.”
Staying abreast of the trends
Keeping up with the latest security trends and emerging threats in the web development industry is also key to application security, and Martin Vigo says he has a curated RSS feed that he has been updating over the years with a mix of websites from bug bounty hunters, blogs from experts in the industry and some companies that have interesting articles from time to time.
“In addition, I use Twitter to stay up to date with new trends, following industry experts that have a high signal, low noise ratio which is something I value in my Twitter feed. Lastly, I watch cybersecurity Twitch channels as well as podcasts, and in fact, have my own podcast where I cover all the latest news about hacking and privacy.”
Building brick on brick
George Kovalev from the Barcelona Code School, and course manager of this training, says from the perspective of educators with the consequential process of learning web and mobile development we go from level one to level two, and so on, building brick on brick.
“The best time to learn about cyber security is after you have learned how to build web and mobile apps properly. In the case of developers, learning never stops. In our case let’s once we have taught students how to build servers with Node, Express, and mongoDB, and clients with React or React Native for mobile, the next steps could be learning another library, or learning more about cybersecurity.”
George Kovalev says the latter seems to be more beneficial since the practices and concepts are transferable between languages and libraries. “Knowing how to build a web app in many different languages and/or libraries but without understanding how to make it securely is less attractive than knowing how to build it with one language or library but with less risk of it being exploited, in my opinion.”
You already know how to build web applications, but do you know how to make them secure? In this course, you will learn how to handle sensitive data, how to strengthen your authentication systems, how to protect your database and server from malicious attempts, and how to prevent the majority of common hacking attacks. With cybersecurity skills under your belt, you will be able not only to build web apps but safeguard them from penetration attacks, significantly increasing your value as a developer.
In today's competitive landscape, it is crucial for web developers to differentiate themselves by acquiring cybersecurity knowledge. By gaining expertise in cybersecurity and following secure best practices, you can stand out from other developers and become a stronger engineer. This course offers you the opportunity to become a security subject matter expert within your team.