What is "Security Awareness"
Security awareness is about the knowledge and attitude of team members about protecting the company assets or software.
Let's talk about the attitude (letting OWASP Top Ten for the knowledge for now since defects, bugs, and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities).
What is "Secure Coding"
So, we can think that code review, code style guides, well-maintained, well-structured, and tested code is on the very basis. Then, following these practices (along with others, like implementing code analysis e.g. Snyk, Semgrep, etc.) might let us assume certain feelings about the code being secure.
Building secure software requires more than this, let me remark that, It also requires a basic understanding of security principles and practices, insecure patterns, and the language, technologies, third-parties, and aspects upon which the frontend relies on along its development.
What is "Zero Trust"
But the attitude (along with training) plays a relevant and not prescindible role. And our key to attitude is not to trust. And this is why:
The approach developers follow differs from the one attackers walk down.
- A development team designs an application to perform specific tasks based on functional requirements and use cases.
- Meaning a Dev team approaches an application based on what it is intended to do.
Conversely, attackers primarily think that "any action not specifically denied, could be allowed". Having more interest in the unintended or unexpected behavior than the expected use case results.
Not trusting that the code will always be used as expected is the basis and first layer of defense in our attitude. Even in terms of verification, limiting the impact, and properly handling a response. In this context, It's what we can call a Frontend Devs Zero-Trust.
Conclusion
Let's summarize:
- What is "Security Awareness"? attitude and training.
- What is "Secure Coding"? principles and practices.
- What is "Zero Trust"? Not trusting that the code will always be used as expected is the basis and first layer of defense in our attitude.
Resources
- Fron-End:
- OWASP Foundation: https://owasp.org/www-project-top-ten/
- Back-End:
- OWASP Foundation: https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html
- Security Best Practices: https://nodejs.org/en/docs/guides/security
- AWS Vulnerabilities already found:
Top comments (0)