The article today is specially dedicated to all my friends, colleagues, and acquaintances who are developers.
I'll start by saying that you have an immense responsibility that you might not be fully aware of.
Delivering that ready application on time, as defined at the beginning of the project, is the priority, and security is often neglected. And that's exactly where the problem lies. Application security cannot be overlooked.
I know it would be much easier if your training or courses in general already encouraged secure development, but since that's not the case, I want to be that encourager.
To illustrate the scenario, let's review the 7 highlights from the Datadog State of Application Security Report for 2023:
Fact 1: Only 3% of critical vulnerabilities are worth prioritizing;
Fact 2: Risks increase with the number of third-party dependencies;
Fact 3: Java services have the highest risks;
Fact 4: Organizations still face vulnerabilities discovered in the 90s;
Fact 5: 3/4 of attacks don't have a specific target;
Fact 6: PHP is the most targeted language in attacks;
Fact 7: At least 11% of attacks target non-production environments.
Even though I've presented them as bullet points, as the details can be found in the report, having this overview of the current state of Web Application Security can already be the starting point for you to begin developing securely.
Okay, Vitor, you've convinced me. I'll start paying attention to this from now on. But where do I begin?
I recommend the following materials for you:
Practical trainings:
e and more materials from the great reference in the field, Tanya Janca:
Twitter: @shehackspurple
Her blog : https://shehackspurple.ca/resources/
Her book: Alice and Bob Learn Web Application
Of course, there are many other good materials on secure development, but by delving into the ones I shared here and implementing them in the code you develop daily, I'm confident that secure development best practices will become much more natural.
In doing so, you'll be contributing to a more secure web, developing professionally, ensuring the security of user and client data, and, on top of that, ensuring that your applications comply with Brazillian Data Protection Law requirements regarding privacy by design and by default.