Webapps security advice

pma111
pma111 used Ask the Experts™
on
If you wanted to learn web applications from a security angle, where would you start? I.e. you won’t be ever developing software yourself, but you may be asked to audit it, pen–test it at a later date.

With that in mind are there elements of web development that you don’t need to focus so far on, or are you best just learning web development from the angle of a developer, and take the security angle out the equation.

And with so many languages, where do you start? I.e. how do you identify which language to learn, and is it easier to transfer to another language, or do you need to learn each from scratch? Is there a “most commonly used” language out there, or could you give me in perhaps 1-5 with 1 being the most commonly used, 5 being a rare development language just so I can see what’s most “out there”.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Web application security is a huge subject.  

For best practice Build Security In Home is your friend https://buildsecurityin.us-cert.gov/

This pdf links to a plethora of other articles
https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/measurement/1070-BSI.pdf

I use php, python/java and C# for web apps.  I wouldn't say one is more secure than the other.  It also comes down to the infrastruce your software will be running on.  Public Key Infrastructure SSL is also important to understand when wanting to secure web applications
btanExec Consultant
Distinguished Expert 2018
Commented:
btanExec Consultant
Distinguished Expert 2018

Commented:
Java will be common language since it is platform agnostic and XML format is driving the next Web 2.0 and identity federated service into the cloud computing hype
Antonio EstradaEngineering Manager / Architect
Commented:
A great tool for testing how secure your website is (regardless of technology) is IBM's Rational AppScan.

That'll look for common (and not so common) flaws in your webapp and try to exploit them. Things like SQL Injection, Cross Site Scripting (XSS) and the like.

The most common languages are C# and Java, but neither is more secure than the other, it all comes down to how it's coded. You also need to look into password encryption, session validation to prevent hijacking, server stuff like SSL to encrypt the data sent to it and the like.

Good Luck!
-V
xG5

Commented:
Awesome links breadtan!  

I forgot that McAfee has a really good links HACME.  

Its in the Foundstone SASS tools.
http://www.mcafee.com/us/downloads/free-tools/index.aspx

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial