Don't say we didn't warn you.
This 12-hour course is a brief and intense dive into web site and application security, including risk assessment and remediation techniques. Recommended for up-and-coming developers.
This is post 16 of 16 in the series “Security for Web Developers” You should: Change the default user name directly in the database. Put files that contain login credentials outside your webroot. Don’t allow writable directories. (With details….) Don’t allow users to upload anything. Sorry. Avoid toxic data. Patch like mad. Use a security …
Continue reading “[ Security for Web Developers ] :: 16: Best Practices”
This is post 15 of 16 in the series “Security for Web Developers” By the Book There are lots of methodologies, more or less formal, for testing your web app’s security. OWASP is, of course, a biggie. https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf And don’t forget tools for particular platforms, for instance WordPress. http://wpscan.org/ (this is great) Next: https://schoolforhackers.com/security-web-developers-best-practices/
This is post 14 of 16 in the series “Security for Web Developers” Grand Master Ninja Hacking With Burp Suite It can seem wildly complex, but it’s actually pretty straightforward to use. There are a lot of tutorials for it, but one of my favorite presenters is Andi Fishta; his videos are very short and …
Continue reading “[ Security for Web Developers ] :: 14: Burp Suite”
This is post 13 of 16 in the series “Security for Web Developers” Hydra First, be clear that there is more than one way to password-protect a website or a directory (folder) inside a website. One is to use a database management system to control what everybody sees. Another is to use simple htaccess files …
Continue reading “[ Security for Web Developers ] :: 13: Testing With Hydra”
This is post 12 of 16 in the series “Security for Web Developers” Using Mutillidae Mutillidae is another pre-built vulnerable web app. It’s highly aligned with the OWASP testing organization (which can take you wildly deep into the world of web app testing). You can install it side-by-side with other web apps by simply putting …
Continue reading “[ Security for Web Developers ] :: 12: Mutillidae”
This is post 11 of 16 in the series “Security for Web Developers” Using Local Test Web Apps You should be testing your site. If you don’t – or even if you do – other people will. So get familiar with some of the tools of the trade. Use a local website development tool like …
Continue reading “[ Security for Web Developers ] :: 11: DVWA”
This is post 10 of 16 in the series “Security for Web Developers” Security Strategy A: Put someone on it full-time. Do patching immediately. Monitor constantly and alert frequently. Review existing apps for correct security. Run a tight firewall. Run an IDS. See https://www.veracode.com/blog/2015/10/3-easy-steps-making-perfect-security-possible. Audit, audit, audit. Security Strategy B: Use a web scanning service …
Continue reading “[ Security for Web Developers ] :: 10: Defense Strategies”