Web Security

Let’s talk about web security. First, a few helpful resources,

Understanding conceptually how a browser client makes a request and takes plain text html from a server response and builds a document object model while storing secrets is an important prerequisite to diving into these materials. Answer a question like — how did I authenticate to my banking website? What happened step by step — from typing in the URL to inputing data into the browser rendered page to submitting it again to the server to gaining access.

I am currently reviewing the most critical security risks as laid out in the OWASP Top Ten. Many of these concepts are already familiar to me just be nature of being in the software development industry over the past 10 years. There’s a lot to review and I am tracking my progress with the garage door open,

Broken Access Control

Cryptographic Failures

  • Cryptographic Storage
  • Transport Layer Protection
  • HTTP Strict Transport Security
  • TLS Cipher String
  • Secrets Management
  • Key Management
  • Pinning

Injection

  • Injection Prevention
  • LDAP Injection Prevention
  • OS Command Injection Defense
  • Injection Prevention in Java
  • SQL Injection Prevention
  • Query Parameterization
  • Cross Site Scripting Prevention
  • DOM based XSS Prevention
  • XSS Filter Evasion
  • Content Security Policy

Insecure Design

  • Threat Modeling

Security Misconfiguration

  • Infrastructure as Code Security
  • XML External Entity Prevention
  • PHP Configuration

Vulnerable and Outdated Components

  • Vulnerable Dependency Management
  • Third Party JavaScript Management
  • npm Security best practices

Identification and Authentication Failures

  • Authentication
  • Session Management
  • Forgot Password
  • Choosing and Using Security Questions
  • Credential Stuffing Prevention
  • Denial of Service
  • JSON Web Token for Java
  • Multifactor Authentication
  • Password Storage
  • SAML Security

Software and Data Integrity Failures

  • Deserialization

Security Logging and Monitoring Failures

  • Logging
  • Application Logging Vocabulary

Server-Side Request Forgery (SSRF)

  • Server Side Request Forgery Prevention
Web Security
Interactive graph
On this page
Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-Side Request Forgery (SSRF)