We use web applications for so many things in everyday life. Thus, several times a day, we find ourselves inputting sensitive information into many different types of online channels.

As developers, we face a lot of challenges, of which security is both important and often underrated. Because of that, we should be dedicated to making more of an effort at protecting and securing those applications.

To this day, no web technology was proven to be invulnerable. Most of the cyberattacks in past years have been performed using software vulnerabilities. Such programming mistakes leave web applications, web servers, and websites exposed.

There are several rules developers have to follow in the process of developing modern web applications, in order to achieve a high level of security.

What is OWASP?

The Open Web Application Security Project (OWASP) is a non-profit foundation dedicated to improving the security of software.

OWASP operates via an open community model, where anyone can participate in, and contribute to, projects, events, online chats, and more. A guiding principle of OWASP is that all materials and information are free and easily accessed on their website. It offers everything-- from tools, videos, forums, projects, to events. In short, it's a repository of all things web-application-security, backed by the extensive knowledge and experience of its open community contributors.

What is the OWASP Top 10?

The OWASP Top 10 is a document prepared by OWASP that provides a ranking of the top 10 most critical risks. It also offers the solutions for avoiding them.

The risks are ranked based on the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential impacts. The purpose of the document is to offer developers and web application security professionals insight into the most prevalent security risks.

This allows us to incorporate the report’s findings and recommendations into our security practices, thereby minimizing the presence of these known risks in our applications. Let's cover them.

1. Injection. A code injection occurs when invalid data is sent by an attacker to a web application. The attacker’s intent in doing so is to make the application do something it was not designed to do. There are many types of injections, and they are mostly done from the application's input forms.

• Example: SQL injection is one of the most common injection flaws found in applications. SQL injection flaws can be caused by use of untrusted data by an application when constructing a vulnerable SQL call. For example, if someone used the string ’” + uname + “’ AND password=’” + pwd + “’” as a username, you'd form:

1SELECT * FROM users WHERE user_name = ’” + uname + “’ AND password=’” + pwd + “’”

• Solution: Use a safe API, which avoids the use of the interpreter entirely and provides a parameterized interface. Otherwise, migrate to use Object Relational Mapping Tools (ORMs). Sanitize user input, and use positive or “whitelist” server-side input validation.