Every product owner wants a secure web application, no matter what happens. But at what cost?
Security is a broad topic, and we cannot protect ourselves against everything.
In this talk, Koos will discuss the basics of risk analysis, classes of attackers, attacker goals (reputation damage, DOS, application abuse, data retrieval) and attack vectors to give an idea of how broad security can be, and drawing a line at the one things under our control: the application.
During this overview, we will look into some attacks against which we cannot easily defend, some tooling which can give insight, and basic techniques to defend or mitigate different attacks (e.g. different hashing schemes, CSP, input validation & mass assignment vulnerability). Implementing these helps, but no lunch is free (except, of course at DevCon).