Security in modern Web Applications -> Owasp to the rescue!

jacobandrewsky

Jakub Andrzejewski

Posted on November 13, 2023

Security in modern Web Applications -> Owasp to the rescue!

This summer, I had an unique opportunity to give a talk at WeAreDevelopers World Congress 🎉

I was really happy about it and when I discovered the talk title that was selected (the same as this article title) I thought that it is even better! I like improving security of web apps so giving a talk about this subject is such great and big audience as the one at WeAreDevelopers was always my dream.

Below, you will see the link to my presentation as well as the links to the tools and packages that can be quite useful when working with Security in modern web applications with OWASP.

Security in modern web applications<br>
OWASP to the Rescue<br>

I have also summarized some of the most important parts of my talk so that you can read about it :)

Enjoy!

https://docs.google.com/presentation/d/1XeLL2YpjUBOE3iAjyXIiplBkylKTCLVT2HbXSY96gZo/edit?usp=sharing

Main idea

To make you more aware of security risks in modern web applications. That's it. In this talk, I wanted to share security awareness across developers because I believe that if you are aware of common security issues, you are less likely to have them in your system.

Why do we have security issues in web applications?

Why do we have security issues in web applications?

Business & Management wants developers to deliver ASAP

Business & Management wants developers to deliver ASAP

As developers, we should explain to them that not working on these aspects will have bad consequences later

When should I start working on security?

As ASAP as Possible. It should be part of CI/CD process as shown below

Security in CI/CD

Where should I look for security patterns & principles?

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
Globally recognized by developers as the first step towards more secure coding.

Common security risks

OWASP TOP 10 names several common security risks that you can encounter while developing a web application.

Let's start with injections - SQL and XSS

Injections

These attacks aim to inject some malicious code into your application by either storing it unintentionally in the database (SQL) or in user browser (XSS).

You can read more about them here:

Next, there is Broken Access Control

Broken Access Control

The idea of this attack is to bypass security rules so that unauthorized user could access data that should only be accessible to authorized members (like admins for example). You can read more about it https://www.prplbx.com/resources/blog/broken-access-control/

And finally my favourite, Denial of Service attacks that aim to deliver so many requests to your application that it will basically give up and stop working

Denial of Service

You can read more about it https://developer.okta.com/books/api-security/dos/what/

The best way to protect against these attacks is to follow OWASP recommendations.

Protecting your application

The easiest way to protect your web application against these common security threats in my opinion is always to utilise native browser functionality like HTTP Headers:

HTTP Security Headers

They allow you to set some instructions to how your browser should behave under certain circumstances. You can set Content Security Policy, Permissions Policy, Basic Auth, and many more!

But in order to protect your application against all other threats you should also learn more about following cases:

  • Rate & Request Size Limiting
  • Cross Origin Resource Sharing (CORS)
  • Cross Site Request Forgery (CSRF)
  • Cross Site Scripting (XSS) Validation
  • Allowed HTTP Methods
  • Logging & monitoring

And my final note for the slides:

There are no unbreakable systems. There are only those who are so difficult/time consuming to break that attackers will give up

Improving Security of Vue & Nuxt

I am proud to say that there is a really good package (module) for Nuxt that you can use to make your app more secure by default (I am the maintainer of it :D ).

Nuxt Security

By using it, your application should be protected against common security issues and threats mentioned by OWASP.

It comes with several features out of the box:

  • Security response headers (including CSP for SSG apps)
  • Request Size & Rate Limiters
  • Cross Site Scripting (XSS) Validation
  • Cross-Origin Resource Sharing (CORS) support
  • Hide X-Powered-By header and remove console loggers utils
  • [Optional] Allowed HTTP Methods, Basic Auth, CSRF

If you like the idea, please make sure to leave a GitHub star :)

https://github.com/baroshem/nuxt-security

Summary

Nicely done! You are now more aware about common security risks and threats. Thanks to that, you are less likely to have these issues in your web application. With this in mind, go and build more secure web applications, one website at a time! 😉

Take care and see you next time!

💖 💪 🙅 🚩
jacobandrewsky
Jakub Andrzejewski

Posted on November 13, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related