Who said developers write only code? Our colleague Andrei Paduraru admirably proves us otherwise. He’s quite the wordsmith. So we’re starting a fresh new series authored by Andrei. He will share with you some unmissable tips & tricks about web security. Enjoy reading!
Web security, an ubiquitous matter
This article aims to provide important guidelines regarding web applications security. It is aimed mostly at developers, but it has useful advice for the testers as well.
Web security is surprisingly one of the most overlooked aspects of the Internet. This happens for lots of reasons and in lots of ways. I will tell you the general story, but first, let’s get to know the people involved:
1. First of all, we have the developers. Developers enjoy building stuff. When they were little, they probably used to play with Lego, excavators, stuff like that. They are peaceful people and mostly harmless.
2. Now come the testers. Testers are dangerous people. When they were little they used to play with hammers and ruin other people’s’ toys. They are usually recognized by the mean look in their eyes. You best not mess with them!
3. At last, we have the hackers. We don’t know who these people are. When they were little, they used to play with computers. Some say they are not all harmful, as it is commonly believed, and that some of them even try to do us good. But who knows?
Now, here’s how web security issues happen:
Developers build an app. They look at it proudly thinking “Hey, it works!”. Then, the testers come in and prove it doesn’t. In a way, a tester acts like a hacker, trying to exploit the app. It’s a healthy process, because it encourages the developers to foresee defects and form new thinking patterns.
The only problem is, testers usually lack the programming skill, so they try to hack the app from within the app. Which is ironic, because we ultimately end up with an app that cannot hack itself. This makes the client feel confident. But the hackers don’t care about the client, nor the developers or testers.
The more sensitive the data and the more important the client, the more secure the app should be.
It all sounds scary, but in reality hackers are regular people like all of us. They are not all geniuses. Some of them are, but they have more important things to do than to mess with us. In fact, most of them are copycats, using well known techniques. And well known techniques always have well known countermeasures.
Focus on your users
Most experts believe that there is no such thing as complete web security and that we can not make an application fully secure, only as secure as possible given the resources.
And the level of security to which we aim depends a lot of the application’s users and the business core. As a general rule, the more sensitive the data and the more important the client, the more secure the app should be.
An application could be exploited without even touching the database or the server in order to steal the user’s private data.
As developers, another thing that we can learn from the experts is the following: when we talk about application security, the first thing we need to focus on is our users. They are the ones that need the protection, and we are the ones responsible for it.
So the next time you build an app, ask yourself: would I create an account for myself on this platform? Would I recommend someone to do so? Also, be aware of the fact that user security is not limited to securing our app’s database and server. An application could be exploited without even touching the database or the server in order to steal the user’s private data.
In this series we will go in depth over critical security issues. We will split them in 3 categories:
- Database security: this is where all the user data resides, so it makes sense to secure that first.
- API security: the API is the gateway between the data and the world, through which it is added, modified and removed.
- Browser security: the browser is the place where all that data is gathered from the users and displayed back.
Don’t miss the next articles from Andrei’s series! He is going to share with you everything you need to know about web security, step by step. You will understand how important it is for the user to secure the database first. Then, you will know which are the two main concerns when dealing with API security. In the end, you will find out how to protect the browser, which works as a digital footprint of the user’s activity. Stay tuned!