Secure web development: How real security vulnerabilities can help avoid mistakes

Published on October 16, 2024

Secure web development: How real security vulnerabilities can help avoid mistakes
Security gaps in web applications are more common than ever. But how can developers make sure their apps are secure during the planning and implementation stages? Clemens Hübner, a security engineer at inovex GmbH, will talk about security flaws at the 'What the Web!? Failures & Future Fixes' meetup and explain how to learn from others' mistakes.
Learning from real vulnerabilities: Web security in action

Learning from real vulnerabilities: Web security in action

In his talk at the 'What the Web!? Failures & Future Fixes' meetup, Clemens Hübner will show why it’s so important for developers to focus on web security—not just at the end of a project, but from the very beginning. Using real-world vulnerabilities and exploits as examples, he’ll explain the risks lurking online, how to learn from them, and how to avoid these mistakes from the start.

'In practice, many security issues are technically simple—that’s exactly what makes them so dangerous,' Clemens shares. 
'For example, in one case, a medical application exposed patient data just by changing a user ID.' This kind of example shows how serious vulnerabilities can be, even in sensitive areas like healthcare.'

The OWASP Top 10: A guide for developers

Clemens recommends all developers check out the OWASP (Open Worldwide Application Security Project) Top 10—a list of the ten most common risks in web applications. This list is a great resource for understanding the biggest security threats. 'The OWASP Top 10 is an awesome starting point for building awareness of vulnerabilities,' explains the security engineer. 'But you can’t let yourself feel too secure just by ticking off those ten items. They’re very broad and general.'

Preventive Measures for Daily Development

How can developers keep their apps secure? Clemens points to two key areas: tools and mindset. "There are great, even free, tools out there to spot vulnerabilities in code or in live applications. That’s a good first step," he says. But just as important is the team’s attitude toward security. If security is seen as a shared goal rather than an "annoying task" left to the security manager, it makes security efforts much more effective.

Another important concept Clemens highlights is threat modeling. This involves the development team stepping into the shoes of a potential attacker to analyze where the app might have vulnerabilities. 

"It’s a huge help in spotting weaknesses early and addressing them."
Even though web security is more important than ever, it often takes a back seat in daily development. Why is that? Clemens believes it’s not due to a lack of interest from developers. Instead, it’s often about a lack of knowledge and clear priorities. "A lot of people simply don’t know where to start and think of security as something that only matters at the end of the project," he says.

Clemens stresses the importance of treating security as a core part of software development from the very beginning. "The biggest vulnerability is often the misunderstanding that security is something to deal with at the end. It’s about creating a culture where security is built in from the start," he explains.

Another challenge is the lack of awareness at the management level:

"Management often doesn’t fully grasp the value of a secure application. It’s not just about protecting against major hacks but also about preventing tangible financial losses, like when payment walls in apps are bypassed."
The Value of Community Meetups

The Value of Community Meetups

Clemens also highlights the importance of connecting with the developer community. Meetups are a great way to exchange ideas about new technologies and their security aspects. With how quickly web development evolves, it can be tough to keep up, so learning from the community is invaluable.

The meetup, "What the Web!? Failures & Future Fixes: From Web Security to HTMX" is happening on October 17, 2024 at inovex GmbH in Erlangen. In addition to Clemens’ talk, Johanna Dolinga will introduce a lightweight framework that’s revolutionizing how we build dynamic web apps in her talk "HTMX – Return to Monkey?".
Contact Person Avatar
Sarah Grodd Projektmanagerin NUEDIGITAL
Profile

Related Blog Posts

NUEDIGITAL 2024—what an experience!
NUEDIGITAL 2024—what an experience!

A look back at the Nürnberg Digital Festival 2024: 10 days of yellow highlights, digital breakthroughs, and inspiring encounters. Head to the blog for the best moments and tips on how you can join NUEDIGITAL. Mark your calendar: From June 30 to July 9, 2025, the region will light up with digital energy again!

Published on July 23, 2024

Sarah Grodd
Projektmanagerin
@NUEDIGITAL
Read more
Kubiss: A Cultural and Educational Hub Leading the Way in Digital Financial Literacy
Kubiss: A Cultural and Educational Hub Leading the Way in...

Kubiss.de, the cultural and educational platform for the greater Nuremberg area, focuses on cultural and academic learning and is breaking new ground in digital financial education. In an interview, Peter Kührt, board member and co-founder, talks about how Kubiss has evolved and why financial education matters more than ever.

Published on October 01, 2024

Sarah Grodd
Projektmanagerin
@NUEDIGITAL
Read more
How digital equality and accessibility can succeed – Insights from Noblesse Oblique
How digital equality and accessibility can succeed – Insi...

Noblesse Oblique demonstrates how inclusion and diversity can be built into software development right from the start. From accessible UX design to inclusive communication strategies, the studio creates innovative solutions to help companies embrace these values. Ha-Phuong Nguyen and Alide von Bornhaupt will share how they make it all happen.

Published on October 24, 2024

Sarah Grodd
Projektmanagerin
@NUEDIGITAL
Read more