Why do we have security issues in web applications?
Why do we have security issues in web applications?
Business & Management wants developers to deliver ASAP
Business & Management wants developers to deliver ASAP
As developers, we should explain to them that not working on these aspects will have bad consequences later
When should I start working on security?
As ASAP as Possible. It should be part of CI/CD process as shown below
Security in CI/CD
Where should I look for security patterns & principles?
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
Globally recognized by developers as the first step towards more secure coding.
Common security risks
OWASP TOP 10 names several common security risks that you can encounter while developing a web application.
Let's start with injections - SQL and XSS
Injections
These attacks aim to inject some malicious code into your application by either storing it unintentionally in the database (SQL) or in user browser (XSS).
You can read more about them here:
Next, there is Broken Access Control
Broken Access Control
The idea of this attack is to bypass security rules so that unauthorized user could access data that should only be accessible to authorized members (like admins for example). You can read more about it https://www.prplbx.com/resources/blog/broken-access-control/
And finally my favourite, Denial of Service attacks that aim to deliver so many requests to your application that it will basically give up and stop working
Denial of Service
You can read more about it https://developer.okta.com/books/api-security/dos/what/
The best way to protect against these attacks is to follow OWASP recommendations.
Protecting your application
The easiest way to protect your web application against these common security threats in my opinion is always to utilise native browser functionality like HTTP Headers:
HTTP Security Headers
They allow you to set some instructions to how your browser should behave under certain circumstances. You can set Content Security Policy, Permissions Policy, Basic Auth, and many more!
But in order to protect your application against all other threats you should also learn more about following cases:
- Rate & Request Size Limiting
- Cross Origin Resource Sharing (CORS)
- Cross Site Request Forgery (CSRF)
- Cross Site Scripting (XSS) Validation
- Allowed HTTP Methods
- Logging & monitoring
And my final note for the slides:
There are no unbreakable systems. There are only those who are so difficult/time consuming to break that attackers will give up
Improving Security of Vue & Nuxt
I am proud to say that there is a really good package (module) for Nuxt that you can use to make your app more secure by default (I am the maintainer of it :D ).
Nuxt Security
By using it, your application should be protected against common security issues and threats mentioned by OWASP.
It comes with several features out of the box:
- Security response headers (including CSP for SSG apps)
- Request Size & Rate Limiters
- Cross Site Scripting (XSS) Validation
- Cross-Origin Resource Sharing (CORS) support
- Hide X-Powered-By header and remove console loggers utils
- [Optional] Allowed HTTP Methods, Basic Auth, CSRF
If you like the idea, please make sure to leave a GitHub star :)
https://github.com/baroshem/nuxt-security
Summary
Nicely done! You are now more aware about common security risks and threats. Thanks to that, you are less likely to have these issues in your web application. With this in mind, go and build more secure web applications, one website at a time! 😉
Take care and see you next time!