Join Emmanuel Henri to go through an overview of the top five security threats for your application and some brief introduction. He also discusses the OWASP (Open Web Application Security Project) top 10 report.
- There's a growing list of threats for web developers, and keeping abreast of all these security issues must be on your mind daily. So beyond the scope of this course, you need to continue reading on the subject and looking at the common techniques and tools to prevent these issues. OWASP, which I will introduce shortly, is a great place to start and where I always go to understand the latest threats and how to mitigate them. Prevention should always be your number one priority over dealing with an attack after the fact. So here is a brief list of the top five most recurring attacks. The first one is injection attacks. This is when untrusted data is sent to an interpreter as part of a command or a query. The second one is broken authentication. Often the implementation of the authentication is broken and therefore a great opportunity for attackers to get passwords, tokens, and more. The third one is sensitive data exposure. More often than not, the APIs don't protect properly sensitive information and therefore easily provides opportunities for identity theft and other bad information leaks. The fourth one is XML entities. Older or poorly written XML processors can be exploited with XML injection with hostile content. And the last one is broken access control. Restrictions on what users can access is often poorly implemented and allows other users to see sensitive data. So this is five of the most reported attacks, but there are more, and the first place I would go to in order to get a good grasp of all these is to the OWASP Top 10 report, which you can get from this link. With this brief overview of the top attacks, hopefully it gives you a starting point for your research.
- Open Web Application Security Project (OWASP)
- Reasons for using a JSON Web Token (JWT)
- Adding bcrypt password hashing
- Adding handlers for registration and login
- Finalizing secured endpoints
- Testing APIs with Postman