Ask HN: How can I learn to secure my application infrastructure against attacks?

4 points by grepthisab ↗ HN
I created an app a year ago, web app. Store lots of customer information. Traditional front end in React, Express middle, and a database server type of layout. I am not a security person but believe I generally follow best practices with regard to things like MFA/password policies/etc.

However, I am worried that there are things I am missing that will subject me to data breach and loss of customer data. How do I learn to secure my app? Is there a checklist of best practices? Not really sure where to start outside of making sure everything is always patched and updated and following sane password/authentication schemes.

Maybe there's a good book on the subject?

4 comments

[ 2.9 ms ] story [ 17.1 ms ] thread
Some will argue about usefulness of CISSP certificate but I'd say the prep guides are definitely good source of solid foundations in terms of recognised good practices.
It's a tricky question, and I've spent years of my life trying to answer it. Hey, I am a security person and a developer and I don't always trust myself to do the right thing. No matter how much time I spend educating myself, there's _always_ something I still need to learn.

At the operating system level, the bare minimum is run only the services you need, have a firewall that refuses unwanted traffic, and to patch regularly. If you can, automatically apply security patches.

In terms of application security, in the ideal case you will have a budget that allows you to hire professionals to take a look at your systems, both from the inside and the outside. Simplifying, internal reviews usually try to answer the question "is this correctly built", whereas external reviews usually focus on "can we get in".

If you don't have a budget (as many small operations don't), I'd recommend the following approach:

1) Make sure you fully understand XSS and SQL injection vulnerabilities. These two are usually responsible for the majority of security issues in applications. The latter can easily lead to full data loss. Understanding them is not easy, but it's manageable. Once you know enough, make sure your applications are not vulnerable. CSRF is something that you should look into, also.

2) Security is not something developers can ignore, so allocate some time every week to learn something new. Even though this is a never-ending task, after a couple of months (and years) you will be much better off.

3) Continuously run entry-level scans against your application, for example using OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Proje... This should help you avoid the obvious problems. They have a Docker image and something they call a "passive scan", which addresses low-hanging fruit.

4) Harden your application, applying all modern security standards that make sense. I've decided that this is where people should focus their efforts first. An application that utilises a good number of standards is robust and can resist exploitation even when vulnerable. (Anecdote: the number of vulnerability reports dropped dramatically after Mozilla deployed CSP.) This step can be tricky, too, because there are so many standards and many ways to misconfigure them. My earlier work (SSL Labs, https://www.ssllabs.com) focused on encryption and certificates. My current project (Hardenize, https://www.hardenize.com) focuses on a wide range of security standards, starting from DNS (and DNSSEC/DANE/CAA, etc), over email, TLS, and to application security (e.g., CSP, cookies, mixed content, SRI, etc). The idea with Hardenize is especially to help people who don't have the budget but nevertheless want to stay informed and do as best as they can, security-wise.

> Maybe there's a good book on the subject?

Shameless plug: I wrote a book exactly on this topic, and you're my target audience, so hopefully it answers a bunch of your questions. https://www.manning.com/books/securing-devops

And I'm genuinely interested to know if you find it useful. Feel free to reach out!