[ Security for Web Developers ] :: 16: Best Practices

Blue Security Goddess

This is post 16 of 16 in the series “Security for Web Developers” You should: Change the default user name directly in the database. Put files that contain login credentials outside your webroot. Don’t allow writable directories. (With details….) Don’t allow users to upload anything. Sorry. Avoid toxic data. Patch like mad. Use a security …

[ Security for Web Developers ] :: 15: Testing Guides and Aids


This is post 15 of 16 in the series “Security for Web Developers” By the Book There are lots of methodologies, more or less formal, for testing your web app’s security. OWASP is, of course, a biggie. https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf And don’t forget tools for particular platforms, for instance WordPress. http://wpscan.org/ (this is great) Next: https://schoolforhackers.com/security-web-developers-best-practices/

[ Security for Web Developers ] :: 12: Mutillidae


This is post 12 of 16 in the series “Security for Web Developers” Using Mutillidae Mutillidae is another pre-built vulnerable web app. It’s highly aligned with the OWASP testing organization (which can take you wildly deep into the world of web app testing). You can install it side-by-side with other web apps by simply putting …

[ Security for Web Developers ] :: 10: Defense Strategies

Strategic Defense Initiative

This is post 10 of 16 in the series “Security for Web Developers” Security Strategy A: Put someone on it full-time. Do patching immediately. Monitor constantly and alert frequently. Review existing apps for correct security. Run a tight firewall. Run an IDS. See https://www.veracode.com/blog/2015/10/3-easy-steps-making-perfect-security-possible. Audit, audit, audit. Security Strategy B: Use a web scanning service …