Security for developers: Basic web security

Some techniques and tools

Photo by Ilya Pavlov on Unsplash

People have been asking about resources to get started on security as a developer. I’ve decided to start a “security for developers” series. Here are some initial topics I’ve talked about:

Security for developers: Threat Modeling

Security for developers: Hashing and Encryption

This topic of security engineering has gotten a lot of attention in the past few months. The Pragmatic Engineer recently released a two-part series on security engineering: Part 1 and Part 2. They cover a large range of topics and provide a short overview of each. It’s different than the posts I’m creating. My goal is to dive deeper into topics for developers so that they can practically navigate security issues they might face on a daily basis. This way, they can maintain a strong security posture until they are able to hire a dedicated security person.

Today, I’m going to discuss some topics in web security. A few good resources to understand web security threats are OWASP Top 10 and the OWASP Cheat Series. The goal of these resources is to show you the top threats and some basic security configurations and tips to mitigate risk.

In this newsletter, I plan to talk through some common threats and defenses for the following types of common web security attacks:

• Distributed Denial of Service (DDoS)

• SQL Injection

• Credential Stuffing

• Cross-site scripting (XSS)

Distributed Denial of Service (DDoS)

This is a common problem that many public-facing websites will face. In a DDoS attack, an attacker floods a website with traffic so that others can no longer access the site. A basic DoS can also happen when a website just gets a lot of traffic as a result of a launch. Either way, we can apply the same defenses to rectify this issue.

Nowadays, companies are better prepared for these types of attacks by pre-emptively having defenses because these defenses have other benefits, such as reducing the overall load on a website by filtering out bad traffic. However, in the past, many companies only put up these defenses once they experienced an attack.

So what do you do if this happens, or how do you prevent this? In the past, infrastructure teams have gone through a variety of techniques to mitigate these attacks. They have done IP-based blocking, rate-limiting, doing challenges, etc. However, nowadays, solving this problem is pretty simple. The solution is a web application firewall (WAF). A WAF is a relatively inexpensive way to block traffic that might take down your website, so there’s no need to come up with techniques to mitigate DDoS attacks.