A Newer Dev's Perspective on Learning OWASP
After developing a firm understanding of OOP, TDD, and Rails, I found myself conflicted about all the directions I could go with my learning. I’ve always understood security was important, but didn’t venture very far beyond general best practices. As a developer, especially one who works with databases and servers, this is a naive and potentially dangerous perspective. The commercial (and sometimes hobby) code we write often affects real human lives and livelihoods, so considering potential exploitation of our work is essential. Thus began my journey in to OWASP.
For those unfamiliar, OWASP stands for Open Web Application Security Project. OWASP is a non-profit community, working collectively to identify and mitigate application vulnerabilities. The OWASP project releases important publications spanning a variety of topics such as AppSec pipelines, penetration testing guides, business risk strategy, development guides, and more. One publication I repeatedly came across during my research was the OWASP Top 10, an evolving list of the 10 most prevalent web application threats. This list serves as a great starting point.
As a kinesthetic learner, when I try to understand a new concept, I often reach for video media to gain a high level understanding before implementing the concept. For the OWASP top 10 I found a wonderful set of instructional videos using a technique called Lightboard Lessons, that can be viewed here. These videos are a great complementary resource with the official top 10 documentation.
After a lot of reading, I found myself wondering “How can I implement this knowledge to further my understanding?” Fortunately, OWASP has us covered with their application “Juice Shop.” Juice Shop is an intentionally insecure web application with vulnerabilities designed to be (legally!) exploited for education and practice. The Juice Shop project can be found here for your learning enjoyment.
With all these free resources, hopefully you can dive in and begin cultivating your knowledge of application security. Attacks continually evolve and become more sophisticated. As ethical and thorough developers, our only choice is to evolve our security practices to keep up. Here’s to 2020 and a more secure internet!