How to Train Secure Web Application Developers

To ensure that your development team understand the risks associated with web application development, and are armed with the tools to protect your organisation against them, you need to understand how to train secure web developers.

This quick guide looks at the basic principles of application security, and highlights the unique problems associated with web application development. The Basic Principles of Web Application Security

At its heart, the core values of secure web application development are the same as those employed by developers across the board:

  • Secure web application development still depends on an organisation’s secure culture – an atmosphere within your organisation that encourages developers to have a proactive attitude towards security.
  • The basic principles of agile software security hold especially true in the fast-paced world of web development; with the majority of web applications now using the agile methodology.
  • Web application developers, like all software developers, will not prioritise security. In order to encourage meaningful adoption of security practices, your organisation needs to engage developers on their own terms – allowing for flexible, hands-on security training in the form of an eLearning course.

However, whilst the basic principles of secure software development will hold for web applications, there are a few unique instances in web development that require specialised security responses.

Where Secure Web Applications Diverge

The following topics are some of the unique security issues faced by web applications. In order to ensure secure development practices, it’s a great idea to enact specialised web development training – requiring developers to pass specific training modules for each of these issues.

Cross-Site Threats. Cross-site scripting (XSS) and cross-site request forgery (XSRF) are two of the most commonly used techniques for attacking web applications. Whilst the consequences of a successful cross-site attack can be huge, these types of security exploits can be prevented quickly and easily – and security modules in cross-site threats will teach developers how to prevent attacks using data sanitisation and digital timestamps.

Server Side Threats. SQL injection and malicious file uploads are regularly used by hackers to gain access to sensitive databases and information, and steal customer payment information. As a result, these types of server side problems pose a significant threat to both application security and business reputation – and need to be explicitly addressed during development.

Project Specific Security. Projects that use server-side PHP operate face very different security challenges to those that use browser-based Javascript. Unsurprisingly, each of these projects will be faced by extremely different security issues, and require a different approach to security. Before embarking on a development project, ensure that all developers are familiar with the best security practices for your chosen language/operating environment..

Cloud Development. Cloud-based applications are growing in popularity and prevalence, and crucially, bring with them a unique set of security issues. The differing security traits of various service models (infrastructure-, platform- and software-as-a-service), remote data access and API usage all require specialised training.

Compliance Issues. Many web applications handle confidential information and customer payment details. As such, these apps become subject to a wide range of legislation – most notably the rigorous security standards of PCI compliance.

The OWASP Top 10. The world of web development is particularly fast moving – and emerging threats and evolving security practices require developers to update their knowledge with the latest trends in application security. Thankfully, the OWASP (Open Web Application Security Project) Top 10 details the ten most critical security issues currently faced by web application developers. Many leading security organisations will provide developer training geared towards these critical issues – allowing developers to stay up-to-date with the fast-paced world of web security.

The Importance of Pro-Active Training

In order to create secure web applications, developers need to understand the basic principles of secure software development, and learn to identify where web applications diverge from these principles. Wherever a web-based project requires a unique set of tools or techniques to develop, it’s likely that a unique set of security issues will appear alongside it.

In order to ensure that these vulnerabilities never turn into a serious security threat, it’s essential for developers to be proactive with their security training – using training courses to learn about the unique nature of each web application they develop.

Get Switched on

Subscribe to our newsletter to keep ahead in the industry, and be the first to access new reports and white papers.