It's all exciting to build, deploy and ship web applications to millions of users but at the same time, one should be aware of the security flaws and holes in the application that could affect those same millions of users. Most often than not, developers are busy in choosing best tool out of plethora of frameworks or libraries using which they could squeeze that extra bit of performance, which is not bad but it is equally important to have good coding practices that strengthen the security of the application.

In this article, I'm going to discuss about why people don't take security seriously and why they should.

1. I'm not the target

Often times, these are small to mid-size businesses or individuals thinking that they are not the target because, you know, why would a hacker bother to hack them when there are already large sharks available with humongous store of sensitive data ? That seems reasonable on outside but if you look inside, you would find it a very dangerous and deadly assumption.

To make my point clear, lets take an example of small side project that shows weather details of your city. It doesn't have store any users' data so no sensitive data.

But :

1. It is hosted somewhere on the server, so it has computational resource which an attacker could use.
2. It probably has some storage where attacker could store illegal data.
3. Attacker can also enlist it in an army of botnets.

So, I'm sure you can see the issue here. Every site whether large or small is a potential target for an attacker.

2. Security is an illusion

With all the zero-day attacks floating in the media where big companies with in-house cyber security experts failing to shield up against hackers, it feels that the security is just an illusion which is hard to achieve but at the same time if you look closely, you'll find most of the attacks are based on well known vulnerabilities like XSS, Sql-injection etc which could be easily prevented if the developer working on the system has proper knowledge about the attack as well as the patch.

3. Security is unproductive

Every developer wants to push the release within the given deadline and to achieve this some just forgets the crucial part of building product : security. Some believes that security checks are holding them back and some just thinks it unproductive.

In most of the companies, the general process is to hire penetration testers once the release is ready but this, in itself, contains few issues. What if the testers find some critical bug which needs change in the whole release or what happens when some modification is done, should the testers re-test it again ? These problems arises because of the notion that security is a task that needed to be done in the end. But Security is a process that should be incorporated while developing the feature itself.

Nowadays, there are plenty of online resources using which one can upskill in fundamentals of web security. To jumpstart, here's a great resource you can follow : Top 10 Web Application Security Risks

I hope you'll find this article interesting and educative. Thanks for reading, until then bye !