Security First approach in development of Single-Page Application based on Angular
Danielecki, Daniel (2019-10-04)
Security First approach in development of Single-Page Application based on Angular
Danielecki, Daniel
(04.10.2019)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
avoin
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2019101132356
https://urn.fi/URN:NBN:fi-fe2019101132356
Tiivistelmä
Recently a Single-Page Application (SPA) approach is getting attention even though this is based on JavaScript is not considered to be a safe programming language. In the SPA ecosystem developers often have to use many external dependencies. Detected vulnerabilities in these external dependencies are disclosed and updated in most cases by the community. Often, in-depth security analysis is not included during the development stage, due to project deadlines and other circumstances. It goes with number of complications. The most straightforward is to be vulnerable for cyber attacks which causes financial problems for companies. Currently law already includes penalties in case of data breaches. Moreover, detected vulnerable code delays projects due to necessary time to improve it. Sometimes it requires to change the whole architecture if the application was poorly designed or in case security was skipped completely in the early stage. It might lead even to putting changes in the architectural style once the application is already on the market. It does makes high pressure on software developers to fix it fast. The rush to deliver it as fast as possible can create new security risks, because in some scenarios it might take significant amount of time to change the design with security prioritization.
Especially within the financial industry consequences of not including security during the design stage might be harmful. Companies in this industry are entrusted with high social trust and sensitive (personal) data. For such enterprises shortcomings in security might cause data, image and money loss. Cybercrime activities are intensifying and for some companies it might causes to be kicked out of business due to hacking. This important factor of software development is currently getting more attention. That is why providing security in an early stage of a project is important, as well should be considered as a prerequisite.
Security should be integrally included in all parts of the development cycle: specification, design, implementation and testing. The desired result is a secure web application. Improving security might be done explicitly by using security analysis and enhance security accordingly to the results. However, implicit methods like clean code, programming best practices, proper architecture design also applies. Ideally, in a continuous security way. Programming best practices and countermeasures against web application security threats have been used to analyse and verify SPA security.
In this research project, an Angular SPA has been developed with focus on security. It includes programming best practices, security analysis and number of different tests. The main goal was to develop a SPA based on the Angular framework with security first approach. An in-depth security analysis of the deployed application is then conducted with validation of these results.
Especially within the financial industry consequences of not including security during the design stage might be harmful. Companies in this industry are entrusted with high social trust and sensitive (personal) data. For such enterprises shortcomings in security might cause data, image and money loss. Cybercrime activities are intensifying and for some companies it might causes to be kicked out of business due to hacking. This important factor of software development is currently getting more attention. That is why providing security in an early stage of a project is important, as well should be considered as a prerequisite.
Security should be integrally included in all parts of the development cycle: specification, design, implementation and testing. The desired result is a secure web application. Improving security might be done explicitly by using security analysis and enhance security accordingly to the results. However, implicit methods like clean code, programming best practices, proper architecture design also applies. Ideally, in a continuous security way. Programming best practices and countermeasures against web application security threats have been used to analyse and verify SPA security.
In this research project, an Angular SPA has been developed with focus on security. It includes programming best practices, security analysis and number of different tests. The main goal was to develop a SPA based on the Angular framework with security first approach. An in-depth security analysis of the deployed application is then conducted with validation of these results.