Web Security for Developers
Real Threats, Practical Defense
Malcolm McDonald's developer-side primer on the OWASP-class issues, framed around real attacks and defended with code patterns rather than vendor products.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Malcolm McDonald
- Published
- 2020
- Publisher
- No Starch Press
- Pages
- 216
- Language
- English
Read this if
Developers who want to understand security without security people in the loop. McDonald is the rare author who explains XSS, CSRF, SQLi, auth and sessions without offensive tooling distractions, in the language a working coder uses.
Skip this if
Practitioners who already know OWASP cold, or readers wanting depth on modern bug classes (SSRF chains, prototype pollution, race conditions). The book is foundational, not advanced.
Key takeaways
- The framing "real threats, practical defense" is the book's design choice and its strongest pedagogical move; every chapter starts with the attack and ends with the defensive code pattern.
- Web security is mostly the same dozen mistakes for two decades; once you know the taxonomy, modern variants are recognizable.
- The chapter on session management and the chapter on third-party JS are the two highest-leverage pieces of the book for engineers who already know the basics.
Notes
Pair with The Tangled Web (Zalewski) for the conceptual depth on browser security model, and with Bug Bounty Bootcamp (Li) for the modern attacker view. Best book to assign to a backend engineer on their first week. The diagrams are unusually good for a No Starch security title; they reward re-reading.
What to read before
What to read before Web Security for Developers →Beginner · 2019
Foundations of Information Security
Jason Andress' compact tour of the field: confidentiality / integrity / availability, identification and authentication, network and OS controls, written for newcomers and adjacent disciplines.
Beginner · 2021
How Cybersecurity Really Works
Sam Grubb's gentle, exercise-driven introduction for non-specialists who need a working mental model of attacker behaviour and basic defence.
Beginner · 2020
Alice and Bob Learn Application Security
Tanya Janca's hands-on AppSec primer covering threat modeling, secure design, secure coding, testing, deployment, and the social side of running an AppSec program — through a friendly, narrative-driven structure.
What to read next
What to read after Web Security for Developers →Intermediate · 2021
Designing Secure Software
Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.
Intermediate · 2014
Threat Modeling
Adam Shostack's practitioner-oriented introduction to threat modeling: STRIDE, attack trees, and how to fit the practice into a real software-development lifecycle.
Intermediate · 2023
Black Hat GraphQL
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
Explore similar books
Alternatives to Web Security for Developers →Intermediate · 2021
Designing Secure Software
Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.
Intermediate · 2014
Threat Modeling
Adam Shostack's practitioner-oriented introduction to threat modeling: STRIDE, attack trees, and how to fit the practice into a real software-development lifecycle.
Beginner · 2021
How Cybersecurity Really Works
Sam Grubb's gentle, exercise-driven introduction for non-specialists who need a working mental model of attacker behaviour and basic defence.