SlideShare a Scribd company logo

Lidiia 'Alice' Skalytska - Security Checklist for Web Developers

OWASP Kyiv, profile picture
OWASP Kyiv

The document outlines a comprehensive security checklist for web developers, emphasizing the importance of a secure software development lifecycle and various practices such as threat modeling, secure authentication, and data validation. Key recommendations include implementing multi-factor authentication, utilizing HTTPS, securing cookies, and performing rigorous testing and penetration assessments. It also highlights the necessity of logging activities and maintaining the integrity of third-party components.

Technology
Related topics:
Software Security
1 of 21
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Security checklist for Web Developers Lidiia ‘Alice’ Skalytska OWASP Kyiv 2017
Software development lifecycle
Secure Software development lifecycle
Planning Analyze your application threat modeling user interface flaws data presentation flaws Usability create applications that users understand and like to use Security incident plan build security incident plan. One day, you will need it.
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Development / Implementation Authentication Database Input / output / validate Web Traffic Logs The 3rd party components
Authentication Use Facebook / Google / etc. Login Use multi-factor authentication Implement Proper Password Strength Controls Ensure all passwords are hashed Implement Secure Password Recovery Mechanism Never write your own crypto Prevent Brute- Force Attacks
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Database Access control Use minimal privilege user account If you can use crypto, use it! Store backups in other place(s) Encrypt backups
Input / Output / Validate Client-side and server-side input validation Always validate and encode user input before displaying Never use untrusted user input Input data is always suspect
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Web Traffic TLS Use TLS for the entire site Cookies Cookies must be httpOnly and secure HSTS Use HSTS responses
Logs All user account management activity Every access control related events Application errors and system events Changes to application configuration settings You need readable logs (who? when? where?)
The 3rd party components Libraries • internally or externally • keep them small • check vendor reputation APIs • use a special key to access • testing inputs and outputs • check vendor reputation Microservices • each microservice is separate • use JSON • use TLS
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Testing 1 Create a testing plan 2 Audit your design and implementation 3 Do penetration testing  4 Think like a hacker
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Resume Planning Development Testing
Questions? Security checklist for Web Developers alice.bizarius@gmail.com securit13podcast@gmail.com http://securit13.libsyn.com/ @alice_kaifat

More Related Content

PPTX
Automatically detecting security vulnerabilities in WordPress
Fresh Consulting
 
PPTX
Security Testing - A complete Guide
BugRaptors
 
PPTX
8 must dos for a perfect privileged account management strategy
ManageEngine
 
PDF
Web Sec Auditor
Aung Khant
 
PPTX
IT security : Keep calm and monitor PowerShell
ManageEngine
 
PPTX
Secure Code Warrior - Remote file inclusion
Secure Code Warrior
 
PPT
Top Keys to create a secure website
Click Ripple Solutions
 
PPTX
Application security [appsec]
Judy Ngure
 
Automatically detecting security vulnerabilities in WordPress
Fresh Consulting
 
Security Testing - A complete Guide
BugRaptors
 
8 must dos for a perfect privileged account management strategy
ManageEngine
 
Web Sec Auditor
Aung Khant
 
IT security : Keep calm and monitor PowerShell
ManageEngine
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior
 
Top Keys to create a secure website
Click Ripple Solutions
 
Application security [appsec]
Judy Ngure
 

What's hot (20)

PDF
Setting up a cost effective Application Security program from scratch by Tusn...
OWASP Delhi
 
PDF
Ajax Fingerprinting Filtering Wth Mod Security2
Aung Khant
 
PPTX
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
PPTX
OWASP
gehad hamdy
 
PPT
Web Application Security
Srivigneshwar R Prasad
 
PPTX
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
PPTX
Sql injection
Praneeth Perera
 
PPTX
Overview of RateSetter web security
RateSetter
 
PPTX
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
PDF
What Should Go Into A Web Application Penetration Testing Checklist?
Hacker Combat
 
PPTX
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
PPTX
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
PPTX
Abusing Google Apps and Data API: Google is My Command and Control Center
Ajin Abraham
 
PPTX
Secure Code Warrior - Os command injection
Secure Code Warrior
 
PPTX
Introduction to OWASP
Thomas F. "T.J." Maher Jr.
 
PPTX
Secure Code Warrior - Authentication
Secure Code Warrior
 
PPTX
Windows 8 programming with html and java script
RTigger
 
PPTX
What not to do with ASP NET
PsiberTech Solutions Pte Ltd
 
PDF
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
Setting up a cost effective Application Security program from scratch by Tusn...
OWASP Delhi
 
Ajax Fingerprinting Filtering Wth Mod Security2
Aung Khant
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
OWASP
gehad hamdy
 
Web Application Security
Srivigneshwar R Prasad
 
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
Sql injection
Praneeth Perera
 
Overview of RateSetter web security
RateSetter
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
What Should Go Into A Web Application Penetration Testing Checklist?
Hacker Combat
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
Abusing Google Apps and Data API: Google is My Command and Control Center
Ajin Abraham
 
Secure Code Warrior - Os command injection
Secure Code Warrior
 
Introduction to OWASP
Thomas F. "T.J." Maher Jr.
 
Secure Code Warrior - Authentication
Secure Code Warrior
 
Windows 8 programming with html and java script
RTigger
 
What not to do with ASP NET
PsiberTech Solutions Pte Ltd
 
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
Ad

Similar to Lidiia 'Alice' Skalytska - Security Checklist for Web Developers (20)

PDF
C01461422
IOSR Journals
 
PDF
Scalable threat modelling with risk patterns
Stephen de Vries
 
PDF
Become a Security Ninja
Paul Gilzow
 
PPT
Developing Secure Applications and Defending Against Common Attacks
PayPalX Developer Network
 
PDF
Threat modeling with architectural risk patterns
Stephen de Vries
 
PDF
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Veracode
 
PDF
Mobile Enterprise Application Platform
Nugroho Gito
 
PDF
Web application security (eng)
Anatoliy Okhotnikov
 
PDF
Best Practices for Secure Web Application Development by Site Invention.pdf
siteseo
 
PDF
Flutter App Development Best Practices: 10 Essential Security Measures
Shiv Technolabs Pvt. Ltd.
 
PDF
Security As A Service
Olav Tvedt
 
PPT
Securing Your .NET Application
Iron Speed
 
PPTX
7 Step Checklist for Web Application Security.pptx
Probely
 
PDF
Best Practices for Developing Secure Web Applications
ScalaCode
 
PDF
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
SBWebinars
 
PDF
How to Build a Secure Java Web Application.pdf
GeorgeThomas874377
 
PPTX
00. introduction to app sec v3
Eoin Keary
 
PPT
Mobile application security Guidelines
Entersoft Security
 
PDF
Web Application Penetration Testing Course in 2025.pdf
daksh908982
 
PDF
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
C01461422
IOSR Journals
 
Scalable threat modelling with risk patterns
Stephen de Vries
 
Become a Security Ninja
Paul Gilzow
 
Developing Secure Applications and Defending Against Common Attacks
PayPalX Developer Network
 
Threat modeling with architectural risk patterns
Stephen de Vries
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Veracode
 
Mobile Enterprise Application Platform
Nugroho Gito
 
Web application security (eng)
Anatoliy Okhotnikov
 
Best Practices for Secure Web Application Development by Site Invention.pdf
siteseo
 
Flutter App Development Best Practices: 10 Essential Security Measures
Shiv Technolabs Pvt. Ltd.
 
Security As A Service
Olav Tvedt
 
Securing Your .NET Application
Iron Speed
 
7 Step Checklist for Web Application Security.pptx
Probely
 
Best Practices for Developing Secure Web Applications
ScalaCode
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
SBWebinars
 
How to Build a Secure Java Web Application.pdf
GeorgeThomas874377
 
00. introduction to app sec v3
Eoin Keary
 
Mobile application security Guidelines
Entersoft Security
 
Web Application Penetration Testing Course in 2025.pdf
daksh908982
 
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
Ad

More from OWASP Kyiv (20)

PDF
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
OWASP Kyiv
 
PPTX
Software Supply Chain Security та компоненти з відомими вразливостями
OWASP Kyiv
 
PPTX
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 
PDF
Threat Modeling with OWASP Threat Dragon
OWASP Kyiv
 
PDF
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv
 
PDF
Vlad Styran - Cyber Security Economics 101
OWASP Kyiv
 
PDF
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
OWASP Kyiv
 
PDF
Ivan Vyshnevskyi - Not So Quiet Git Push
OWASP Kyiv
 
PDF
Dima Kovalenko - Modern SSL Pinning
OWASP Kyiv
 
PDF
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv
 
PDF
Vlada Kulish - Why So Serial?
OWASP Kyiv
 
PDF
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
OWASP Kyiv
 
PDF
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
OWASP Kyiv
 
PDF
Ihor Bliumental - WebSockets
OWASP Kyiv
 
PPTX
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
OWASP Kyiv
 
PDF
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
OWASP Kyiv
 
PPTX
Andriy Shalaenko - GO security tips
OWASP Kyiv
 
PPTX
Vlad Styran - "Hidden" Features of the Tools We All Love
OWASP Kyiv
 
PDF
Volodymyr Ilibman - Close Look at Nyetya Investigation
OWASP Kyiv
 
PDF
Ihor Bliumental - Collision CORS
OWASP Kyiv
 
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
OWASP Kyiv
 
Software Supply Chain Security та компоненти з відомими вразливостями
OWASP Kyiv
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 
Threat Modeling with OWASP Threat Dragon
OWASP Kyiv
 
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv
 
Vlad Styran - Cyber Security Economics 101
OWASP Kyiv
 
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
OWASP Kyiv
 
Ivan Vyshnevskyi - Not So Quiet Git Push
OWASP Kyiv
 
Dima Kovalenko - Modern SSL Pinning
OWASP Kyiv
 
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv
 
Vlada Kulish - Why So Serial?
OWASP Kyiv
 
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
OWASP Kyiv
 
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
OWASP Kyiv
 
Ihor Bliumental - WebSockets
OWASP Kyiv
 
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
OWASP Kyiv
 
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
OWASP Kyiv
 
Andriy Shalaenko - GO security tips
OWASP Kyiv
 
Vlad Styran - "Hidden" Features of the Tools We All Love
OWASP Kyiv
 
Volodymyr Ilibman - Close Look at Nyetya Investigation
OWASP Kyiv
 
Ihor Bliumental - Collision CORS
OWASP Kyiv
 

Recently uploaded (20)

PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Cloud computing and distributed systems.
kkkkkhan
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
A Presentation on Artificial Intelligence
memembruh336
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 

Lidiia 'Alice' Skalytska - Security Checklist for Web Developers