V
V
Vadim2022-02-09 14:24:42
API
Vadim, 2022-02-09 14:24:42

What resources can be used to learn the principles of secure web development?

Hello everyone,

I know that the topic is not very popular with many web programmers ... somehow everyone is studying, but no one pays much attention to OWASP 10 and how to protect themselves from them. So I put the question in the middle level of difficulty

. So, what resources do you use to learn secure coding on the web? I didn't find it in the Russian segment at all... there are a couple of wildly expensive courses and (expensive) platforms for corporations... but what about a regular developer?

examples of expensive platforms for corporations - here:
https://www.g2.com/categories/secure-code-training

and here are examples of wildly expensive trainings))
https://www.glasspaper.no/en/courses/web-applicati ...
https://www.nobleprog.ru/cc/seccode?participants=1...

good beaver to all))
Vadim

Answer the question

In order to leave comments, you need to log in

3 answer(s)
V
Vadim, 2022-02-17
@Viji

Register as an OWASP member at
https://owasp.org/membership/
it costs 50 bucks a year
and get access to the SecureFlag Platform
a good option, the
rest are only corporate or very expensive!

R
Rag'n' Code Man, 2022-02-09
@iDmitriyWinX

Secure web development is, in essence CORS, CSPprotection from XSS, protection from, CSRFand password hashing
UPD:
Vadim , If you do not want data that you do not expect to come to you on the API, use validation with whitelisting. If you need to limit the places where a request can come from, configure CORS.
If you want to limit the number of requests per endpoint within a certain amount of time from one IP - Use RateLimit. About the correct construction of authorization is also not entirely clear. Which is better for you: JWT or OAuth2? All strategies have long been invented and doing something wrong will also be difficult.
It is necessary to securely transmit data on the network - HTTPS and SSL.
Want to close all ports except 443? - use firewall.
There is no need to study the “principles of secure web development”, when you start writing something, you will immediately see all the weaknesses and start looking for solutions specifically for your situation. And so, you will not make yours safer.
fetch('https://api.com')

V
Vyacheslav, 2022-02-09
@Armann

I disagree with my colleagues that "there is nothing to study there, and everything is clear" :) The topic is large and interesting, there is no digging to dig.
I'm not an expert, but the picture seems like this:
- according to the information - smoking owasp, at least. There were sites with translations of articles from ovaspa, and their own materials on web security;
- for development - you are equipped with static analyzers (SonarQube, Bandit for python, etc.). The analyzer will indicate suspicious places, and you will improve your understanding of possible attack vectors;
- for testing - check with scanners like OWASP Zap, https://www.ssllabs.com/ssltest/analyze.html . Again, analysis of the positives will give an understanding of how you can be attacked, how you can do it, and how you can’t;

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question