Ask HN: Where to start learning security for consumer Internet products?
I'm considering designing a consumer internet product, but don't know the first thing about security. I'd like to avoid compromising my users' data, so if you can point me in the right direction I'd greatly appreciate it. Thanks!
5 comments
[ 3.4 ms ] story [ 15.4 ms ] threadEverything I know about web vulnerabilities in a sentence: User input cannot be trusted. Do I have room for two sentences? Assume every string in the application is user input unless you've got provable chain of custody back to God Almighty, who is the only entity I would trust to handle whitelisting correctly.
There is a regularly published list of the most common web vulnerabilities. Most have had well-understood fixes for years or decades, and will have much better developers than you or I shoot themselves in the foot today.
http://www.owasp.org/index.php/Top_10_2007
Happily, you can pick some of this up as you go along, because insecure web applications (three words which could be two words without compromising informational content) can still produce meaningful business results. Don't let this be the reason you don't write something, unless something is nuclear power plant control software or the like.
threat modeling/analysis, cross site scripting, sql injection, session hijacking, database security/permissions, firewalls, intrusion detection, keeping system software up to date.