Ask HN: Where to start learning security for consumer Internet products?

10 points by svjunkie ↗ HN
I'm considering designing a consumer internet product, but don't know the first thing about security. I'd like to avoid compromising my users' data, so if you can point me in the right direction I'd greatly appreciate it. Thanks!

5 comments

[ 3.4 ms ] story [ 15.4 ms ] thread
This is a very, very deep topic.

Everything I know about web vulnerabilities in a sentence: User input cannot be trusted. Do I have room for two sentences? Assume every string in the application is user input unless you've got provable chain of custody back to God Almighty, who is the only entity I would trust to handle whitelisting correctly.

There is a regularly published list of the most common web vulnerabilities. Most have had well-understood fixes for years or decades, and will have much better developers than you or I shoot themselves in the foot today.

http://www.owasp.org/index.php/Top_10_2007

Happily, you can pick some of this up as you go along, because insecure web applications (three words which could be two words without compromising informational content) can still produce meaningful business results. Don't let this be the reason you don't write something, unless something is nuclear power plant control software or the like.

Thanks for the response! My question actually stems from your blog post on zero-day Diaspora exploits and I appreciate the input. Guess I'll start with the obvious stuff and learn from mistakes as I go along.
it is a big topic. it might help if you specified what platform/languages you are using.
here is a short list of topics that are helpful to understand:

threat modeling/analysis, cross site scripting, sql injection, session hijacking, database security/permissions, firewalls, intrusion detection, keeping system software up to date.