Web application security requires constant attention

2025-04-16

Developing a secure web application takes concentrated effort and time by the entire team. Whilst there's been a positive trend to more secure web applications over the last 10 years, there's still some way to go in the world of web application security.

The most talked about and referenced document in this regard is OWASP Top 10, which shows us the most common security vulnerabilities in web applications. However, the last version is from 2021. A new version is expected to be released in early 2025. I strongly encourage you to dive into the OWASP Top 10 if it's been a while or if you've never heard of it. However, I won't spend much time talking about it.

Instead, I want to talk about the more important factor behind web app security: Culture. Especially in early-stage startups, security oftentimes takes a backseat because of velocity. Shipping features quickly is more important to be able to stay ahead of the competition; cleaning up can be done after.

It's true that developing features in the context of an early-stage startup is a delicate balance. However, it's important that security not get the short end of the stick, because any damage caused by this tradeoff will be very costly to fix. It's also not something that is done occasionally; instead, it requires constant attention and effort from the team.

Depending on where you are at with securing your web application, there's some quick wins too: Setting up protected branches, CI/CD with automated testing and static security checks are all relatively simple to set up. Yes, this is not directly changing things in the code. However, the infrastructure and surrounding processes contribute as much to web application security as the code itself.

Doing all of these things requires a shift in culture. In most people's minds, security is annoying, because it causes friction or takes additional time. However, in 2025, it's an integral part whether you're busy developing your MVP or scaling existing software. It's no longer good enough to do it half-heartedly.

Yours,
Søren

Want to get articles like these in your inbox every week?

Delivered straight to your inbox every Wednesday.