Learn the basics of Transport Layer Security (TLS), HTTPS, the difference between authentication and authorization, and common we vulnerabilities and how to mitigate them.
This guide assumes you have some basic foundational knowledge in the way the web works.
Brush up on the basics of the web if needed.
Although I've been working in IT and a little over a decade, I am not a security professional. I have a strong understanding of fundamentals and practices. I know enough to be dangerous, as they say.
Security is another huge pillar in the IT and Software Engineering fields. It's so big that you can specialize just in security. What you need to get out of this section is a good understanding and awareness of some basic security terminology, tools, and practices.
Tip: Getting security right is a very hard thing to do on your own. When you get hired your organization will, hopefully, have a team dedicated to just security and experts to consult with on the best way to secure your programs and to their standards.
The foundation of security is through the use of cryptography, or creating and sharing secrets between private parties.
Technology and applications are secured by using protocols which incorporate cryptography into their specifications.
The most useful tool is the openssl utility, which can perform a number of cryptographic functions including creating keys, certs, and more.
Once communication between clients and servers are secured using cryptographic protocols, the next phase of security practices can be implemented. Authentication and Authorization. Authentication is identifying the user and verifying they are who they say they are. Authorization occurs after authorization and determines what the user can or cannot do/view.
Tip: Unless you are learning, it's never wise to implement your own authentication system from scratch, most likely you will not do it correctly and it will have vulnerabilities. Utilize known, vetted libraries and reputable auth providers when possible. What you authorized an authenticated user to see and do is still largely up to you and your team.
Read the article defining these terms along with their types.
The most common methods for authenticating users is through the use of sessions and JWT tokens.
A bit more advanced methods of authenticating users is through the use of OAuth.
Having a secured connection and authentication/authorization practices in place, it's still not enough. Web vulnerabilities are weaknesses or flaws in web applications that can be exploited by attackers to gain unauthorized access, steal data, or disrupt services. This is not an exhaustive list, but simply the most known.
Attackers inject malicious SQL code into queries, compromising databases and exposing or altering sensitive data.
Malicious scripts are injected into web pages, stealing user data or performing actions on behalf of the user.
Attackers trick users into performing actions without their knowledge using their authenticated session.
Unauthorized access to internal objects, like files or records, due to improper authorization checks.
Insecure settings, like default credentials or exposed error messages, leave web applications vulnerable to attacks.
The OWASP Top 10 is a list of the 10 most critical web application security risks, guiding developers and security professionals in mitigating common vulnerabilities and promoting secure development practices.