3 Security layer 1: protecting web applications

 

This chapter covers

  • Automating the security testing of an application in CI
  • Identifying and protecting against common web app attacks
  • Authentication techniques for websites
  • Keeping web apps and their dependencies up to date

In chapter 2, we deployed the invoicer, a small web application (web app) that manages invoices. We ignored security completely to focus on building a DevOps pipeline. In this chapter, we’ll go back to the invoicerapplication and focus on securing it. Our interest here is in the application itself, as we’ll cover the security of the infrastructure and the CI/CD pipeline in later chapters.

Web application security (WebAppSec) is its own specialty within the field of information security. WebAppSec focuses on identifying vulnerabilities in web apps (including websites and APIs) and web browsers and defining controls to protect against them.

Specialists spend an entire career perfecting skills in WebAppSec. A single chapter can only provide an overview of the field, so we’ll focus on the elementary controls needed to bring the invoicer to a solid security level and leave pointers for you to go beyond the scope of this chapter. You can find many great resources on the subject. The following is a short list you should keep nearby:

3.1 Securing and testing web apps

3.2 Website attacks and content security

3.2.1 Cross-site scripting and Content Security Policy

3.2.2 Cross-site request forgery

3.2.3 Clickjacking and IFrames protection

3.3 Methods for authenticating users

3.3.1 HTTP basic authentication

3.3.2 Password management

3.3.3 Identity providers

3.3.4 Sessions and cookie security

3.3.5 Testing authentication

3.4 Managing dependencies

3.4.1 Golang vendoring

3.4.2 Node.js package management

3.4.3 Python requirements

Summary