Secure web development is a process that starts at the early design stage of the web application and continues throughout the development stages right through to the completed product and beyond with the ultimate goal of making, and keeping, the web application as secure as possible while still being able to perform its desired function.
The steps include choosing the correct programming language, exercising best practices in coding, deciding on how and where the application will be hosted, ongoing testing and updates.
Securing data on a public facing web application is a much more complicated process than securing internal data. Internal data can be protected very effectively by limiting access to the server to certain individuals and machines protected behind a combination of firewalls and physical barriers that would make it difficult for an outsider to penetrate. Basically, you put your server in a safe and shut the door to everybody, but a few authorised personnel.
A web application or website is public in nature and is required to be accessible to everybody in order for it to perform its desired function. This requires a completely different level of security, we have to open the front door to everybody letting anyone enter, but ensure that those entering are not “up to no good”.
Your internal data is like your store room. It can easily be kept under lock and key away from public access.
However a web application is more like a busy shop front. You have to allow people in, but also make sure they don’t break or steal your products, or steal from other shoppers while they are in your shop. We do this by monitoring and studying behaviour and then taking precautions to deter certain malicious behaviour.
The Open Web Application Security Project publishes the OWASP Top 10 which incorporates the broad consensus about the most critical security risks to web applications.