SYSTEM FOR DEVELOPING SECURE WEB APPLICATIONS BASED ON SUBSYSTEMS FOR TRAINING, PLANNING, AND SELECTING A TECHNOLOGY STACK

Abstract

The article discusses the problem of ensuring the cybersecurity of SPA and PWA web applications in the context of the increasing complexity of attacks and dependencies. The author proposes a system for developing secure web applications that combines training and technical components and is implemented through interconnected subsystems: staff training, planning, technology stack selection, prototyping, development, testing, and support. Each subsystem contains segments and control points that formalize transitions between stages and ensure the principles of “security by design” and “security by default.” The methodology for setting SMART goals, forming a matrix of threats and response scenarios, as well as criteria for evaluating technologies based on security features, supported standards, and update lifecycle, is described. The integration of security measures into the development pipeline is demonstrated: SAST/DAST, dependency auditing, WAF with OWASP CRS rules, CSP policies, database access control (TLS, RLS, field encryption), logging, and monitoring. Procedures for verifying stack readiness before prototyping and metrics for evaluating the effectiveness of training and implemented countermeasures are proposed. 

Special attention is paid to the specifics of SPA/PWA: service worker management, secure offline data caching, client- and server-side validation, token protection, and cross-domain interaction. Approaches to policy management, responsibility distribution, risk prioritization, and continuous improvement in the DevSecOps paradigm are presented. Practices of reproducibility, documentation of control points, and the use of dashboards for decision transparency are summarized. The proposed system can be adapted to resource constraints and the scale of the organization, as well as to different deployment models.