So you want to learn web security?

Published in

Bearclaw

3 min readAug 24, 2016

For better or worse, I’ve positioned myself as an expert on web application security. This is worrying for me, as I’ve never worked for a security company. I’ve never worked alongside pen-testers and have had no real mentoring on the topic. All of my security knowledge is self-taught.

At the same time, at BearClaw I do vulnerability assessments for clients and consistently find security flaws in code that their own development team missed. This means I’m probably OK at security, or at least one or two steps ahead of the average web application developer.

I often get asked by developers where to start when they want to improve their security skills. Rather than respond to each of them individually, I’m writing this post with my collected advice on how to start writing more secure software.

1. Read the Web Application Hackers Handbook

This is the bible of web application security. Any vulnerability you find in your own code is likely to be a variation of a vulnerability already documented in this book. Read it cover to cover, take notes, and then keep it by your desk.

2. Do lots of web security exercises

It’s difficult to appreciate the impact of security vulnerabilities without being able to exploit the vulnerabilities yourself. Security exercises are an opportunity for you to do that in a safe environment where there’s definitely a vulnerability present for you to exploit.

Here are some good examples:

Side note, did I mention we run a security workshop? People tell me this is a good workshop: https://ti.to/bearclaw/rails-security-workshop-september–2016/

3. Do the Matasano Crypto Challenges

If any developer ever asks me for any advice about anything, the second thing I usually say to them is “Do the Matasano Crypto Challenges”. I really want you to do the Matasano Crypto Challenges. You should do the Matasano Crypto Challenges.

Completing just the first three sets will put you in the tiny subset of programmers that have a semblance of a clue about cryptography in practice. Please do them, for my sake and for yours.

I want you to do them because they’re fun. They will make you terrified of doing cryptography, and this is a good thing. They will allow you to have coherent opinions about the cryptography you see put to use in the average web application. You will be armed with concrete reference experiences when making decisions about cryptography, rather than empty soundbites that other developers repeat to themselves.

4. Implement basic security mechanisms by hand

Think about the basic security mechanisms that most web applications implement and try coding them up from scratch. In particular:

Registration (including password storage)
Login/logout
Password reset
Role-based authorisation (e.g. “admin” vs. “standard” users)

Now think about how your implementation might be vulnerable. Is your password storage mechanism susceptible to brute forcing in case of a data breach? Can an attacker craft password reset tokens? Can your registration form be used to modify the data of any user? Can a user sneakily upgrade themselves from standard to admin using the forms on your site? If a user’s laptop is stolen while they’re logged in, is there a way you can log them out remotely?

Think about how to mitigate these vulnerabilities and how to write these features so they withstand security breaches at various levels. Look at the code of a library like Devise and think about how they avoid various types of vulnerabilities.

5. Go bug-hunting

Now that you’ve built up your skills, it’s time to put them into practice. Sign up as a hacker to Hacker One, look for open bounties and see if you can find security holes in websites on production. You might earn a bit of money in the process. You’ll definitely learn something.

Bonus: Reading list

Closing note

If you get through all of that and are interested in doing both development and security assessments, send us an email to say hello: contact@happybearsoftware.com