10 common developer misconceptions about web application security

Where it all begins: The troubled relationship between software innovation and security

Software development is all about making things work and creating new functionality that solves problems and unlocks new possibilities. That creative buzz is part of the appeal of web development – and yet Invicti research shows that 32% of web developers spend at least five hours a day addressing security issues. All too often, inefficient communication and inadequate tools reduce cause developers to treat security-related requests as a chore and distraction that has no clear reason and brings no visible results. This mistrust is reinforced by common misconceptions about web application security – many not exclusive to developers.

Misconception #1: Security is not a development problem

Reality: Application security is a crucial part of modern web development, especially as you move towards DevSecOps.

AppSec/API Security 2022

Let’s start with the mother of all application security misconceptions: that security is someone else’s problem. Whether you’re putting your trust in tools, external systems, or the security team, it’s tempting to put security out of mind and focus only on building software. In reality, web applications are now so complex and can be attacked in so many ways that the only way to truly secure them is to make security everyone’s business – starting but also ending with development. After all, whenever vulnerabilities are found in your custom web applications, the fix requests eventually end up in development, so efficiently dealing with them as they arrive is crucial to avoid bottlenecks and prevent professional burnout.

Misconception #2: Our web framework takes care of security

Reality: A good quality framework can prevent many security flaws but is nowhere near enough on its own.

Web frameworks and libraries have revolutionized development, providing the scaffolding to build production sites and applications using only a fraction of the time and resources that it would take to develop from scratch. Choosing a framework with a solid security record is a must as it helps you entirely avoid some classes of technical vulnerabilities – but only some classes, and only when using…