Check out a free preview of the full Web Security course:
The "Introduction" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

Mike North introduces his Web Security course by examining web security landscape in the context of front-end development. We recommend using Node version 8.17.0 with this course.

Get Unlimited Access Now

Transcript from the "Introduction" Lesson

[00:00:00]
>> Mike North: So first, I wanna make sure that everyone understands how huge the problem is that we have right now. What you see on the right here, this is one of these typical ransomware programs that it is essentially a virus that spreads across a network encrypting what it can identify as user data and then holding it for ransom where you have to pay some number of bitcoins to a particular address in order to get your data decrypted.

[00:00:31] This happens all the time and security experts, when you run into this situation, will tell you just pay it, you already got hit, you already have paid the cost, there's no way to undo it. And features and deadlines are always in competition with the things like security and things like tech debt that have a less tangible business value.

[00:00:56] Unless there is some compliance that your business is trying to get, I've worked with companies trying to get PCI compliance. Once you move past that, it's hard to keep that constant vigilance and constant awareness going. Whereas, you're always trying to fix bugs, and you're always trying to add features.

[00:01:14] And so it naturally sorta feels like a secondary concern. In particular, web developers have really fallen behind, compared to our backend and DevOps counterparts who have to think about security all the time. It is a regular part of what they think about whenever they do something. What could go wrong?

[00:01:34] Who should have access to this? In the front-end world, because of a combination of things, mainly that the target is moving so fast and we have to learn so much, and things like performance, our more pressing concern, when you talk to business stakeholders, we are lacking in knowledge compared to other engineers that may work at the same companies that we're at.

[00:02:03] Attacks are becoming more and more severe. Over the weekend, Equifax was breached. They basically allowed a web application to have access to 147 million people's Social Security numbers and credit card information. There's no reason a web app should've had access to all that data. There's no reason that the database query should've been allowed to dump all of the records of that table, that was the database working really, really, really hard for hours, like spiked at 100% CPU.

[00:02:37] And then letting like gigabytes of data travel out of their network unnoticed. So things are getting worse and worse and worse, and where we used to have to worry about the one or two people causing mischief, now we also have to worry about nation states that are launching attacks at other governments and at private businesses.

[00:02:58] And these groups have more resources than we're used to seeing so they can attack on a scale that is unparalleled. It seems like we're setting a new record with each breach, each massively distributed DDOS attack. So if that weren't bad enough, the barriers to staging an attack are lower than earlier.

[00:03:19] I'm going to show you some attack platforms, some little things that you can buy or download that literally have an app store where you can install stuff that will cause mischief on a Wi-Fi network. So all of these things kind of compound into us as web developers needing to take responsibility as we're writing our own code and as we're looking on our own apps.

[00:03:42] Not depending on our companies automated audits to protect our users but rather to build into our own ability to look at our own code and to evaluate our features for completeness and for safety. The idea of security. Not just, it won't break, but also mischief cannot be caused.