There are very few processes where you need to remember as many things as when building a new web app. UI, UX, working backend, performance, mobile responsiveness, third-party integrations, automated tests... 

With so many things to worry about, it’s easy to overlook something arguably more important than any of those: cybersecurity. 

‍

‍

Cybersecurity

56% of organizations experienced a security breach or compromise related to their web applications in the past 12 months – up from 50% the year before. And things are only getting worse. 

Alright, cybersecurity is important – everyone knows that – but how can I, as someone developing a web app, protect my product from attacks? 

We asked Vebjørn, an expert in the field of cybersecurity, for practical tips on how an average person working on a web app can effectively protect their product.

‍

Where to begin? 

Let’s begin with the absolute basics. For web application security, there’s something called the OWASP Top 10. It’s a list of the ten most common and dangerous security issues in web applications, maintained by the OWASP (Open Web Application Security Project) foundation. Its goal is to help you understand and prioritize which security issues to watch out for. 

It has never been easier to build software than it is today, as some of the best information and necessary tools are free and readily available. The OWASP Top Ten is a great community project that directly contributes towards also making application security accessible and easier to understand and can help set a direction as to which bug classes to look out for. Exposing an application to the internet necessitates strong security controls, as users trust that their data and the application’s availability will be taken care of. One breach of this trust could be enough to permanently harm or ruin your reputation.     ~ Vebjørn

Vebjørn is a Offensive Security Lead with years of experience in the field of penetration testing (ethical hacking) and application security. We asked him to share, based on his experience, the three most important beginner tips for people building a webapp:

‍

Start early

Take security into account from the very beginning of the development process if possible. Seek out guidance for best security practices for your application stack and implement security checks and balances in your CI/CD pipeline. Examples of this could be IDE plugins, secrets scanners triggered by Github Actions, and static code analysis tools.

‍

‍

Don’t reinvent the wheel

Don’t create your own authentication mechanisms, cryptographic algorithms or other application components that are core to the overall security of the application (especially if you’re just starting out in application security). There are many great commercial and open-source projects that are both easy to use, give a great user experience, and are thoroughly vetted by some of the best in the field. Fully PaaS backends such as SupaBase work for some people, while others might prefer Better Auth or EntraID. Do your own research and find a solution that works best for your application.

‍

‍

Use an adversarial mindset

Think: What would I do if I were an attacker trying to break something or access unauthorized data? Could I simply increment a parameter such as “userID=47” to “userID=48”, and access another user’s profile? What about this API key that has been hardcoded into main.js? Could it be leveraged in an unintended way? Hackers and penetration testers ask themselves these sorts of questions all the time, as they could very well lead to uncovering some flaws in an application. Think creatively and build with the adversary in mind.

‍

‍

Thanks for these valuable tips!

‍

Next steps 

If you haven’t implemented these changes yet, now’s the time! The era when cybersecurity was just a bonus is long over – nowadays, it’s an absolute must! 

Want help building a web app that’s secure and functional? Reach out to us, we’ll help you figure out what makes sense and where to start. 

Interested in this topic? Check out Vebjørn’s profile on LinkedIn or read what Rocksoft’s CEO, Piotr, shares about 5 things you should consider before starting work on a product.