There is a lot of misconception among developers and managers about the nature and responsibility of web application security. Contrary to popular beliefs:
Looking at the OWASP Top 10 we can see, that most attacks are preformed using simple attack vectors that rely on ignorance or negligence on the part of the developers. Attacks using zero-day or underlying OS exploits are rare and used only against high-profile targets.
Breaches in security are becoming more and more expensive - according to recent survey by PWC the average cost of a breach for small companies is between 116 000$ - 480 000$, and between 2 250 000$ - 4 860 000$ for big companies.
The website you build might not be the Facebook with 100s of millions of users, doesn't matter. Attackers use mass scanning techniques to find and compromise easy targets no matter how small, because its ultimately your users that they are after. Breaking your security can help compromise more prominent targets - you might just be the weakest link in the chain.
Experts in the field spend most of their time looking for new vulnerabilities or preforming penetration testing to discover your code's deficiencies. Mitigation within your application is not their job - it's yours. Learn and become a better developer so you won't have to discover vulnerabilities through exploits.
Learn to mitigate the main attack vectors against authentication, session management and authorization systems.
Study the complexities of securing our browser side code. Implement various defences against attacks targeting your users.
Find out how to handle and store your data securely. Mitigate various data stealing attack vectors.
Take the power from attackers, by learning to avoid vulnerabilities in your input handling.
Learn to systematically analyze your existing code to discover vulnerabilities and apply mitigation.
Every node.js team should have Karl's book under their belt. Especially if you are seasoned developer entering Node's ecosystem, this book is great to bring you up to speed with what you can expect from the darker corners of the Internet.
The NodeJS community has been waiting for a book like this. For all of NodeJS’s ease, it comes at a cost: security. This book eases that cost and removes the often-overlooked downsides of NodeJS development.
A thorough and clear explanation of web app security, from the database to the app server to the client. Highly recommended for developers of node-based apps!
If you want to learn how to secure your Node.js apps there is no way around Karl Düüna's book. In a clear and concise manner the author shows the ins and outs about how to make your Node.js app an impenetrable fortress. Not a Node.js user? No problem - much of what is covered in Karl Düüna's book can be used in other environments with little change.