3 Security layer 1: protecting web applications
This chapter covers
- Automating the security testing of an application in CI
- Identifying and protecting against common web app attacks
- Authentication techniques for websites
- Keeping web apps and their dependencies up to date
In chapter 2, we deployed the invoicer, a small web application (web app) that manages invoices. We ignored security completely to focus on building a DevOps pipeline. In this chapter, we’ll go back to the invoicerapplication and focus on securing it. Our interest here is in the application itself, as we’ll cover the security of the infrastructure and the CI/CD pipeline in later chapters.
Web application security (WebAppSec) is its own specialty within the field of information security. WebAppSec focuses on identifying vulnerabilities in web apps (including websites and APIs) and web browsers and defining controls to protect against them.
Specialists spend an entire career perfecting skills in WebAppSec. A single chapter can only provide an overview of the field, so we’ll focus on the elementary controls needed to bring the invoicer to a solid security level and leave pointers for you to go beyond the scope of this chapter. You can find many great resources on the subject. The following is a short list you should keep nearby: