Ask HN: Best stack for secure API?

4 points by smt88 ↗ HN
I'm soon going to be leading a large team developing a highly-secure, high-volume web API. What stack should we use? Please give concrete reasons, preferably from extensive personal experience.

The best stack for the job needs bulletproof cryptography, a mature ecosystem, and strong appeal to developers. It also needs to be difficult to introduce errors while coding quickly.

It doesn't matter how good I am personally with the stack, which is why I'm asking for input.

(And don't say Node, because it fails almost all requirements...)

18 comments

[ 4.0 ms ] story [ 44.3 ms ] thread
I would recommend the Java language and platform. It's as mature as it gets, has strong crypto libraries, is quite popular (especially in banking, which I believe is the target domain) and has adequate type safety and static checking features. For a high-volume web service API I would recommend the Dropwizard framework. It may not be as sexy as, say, Node, but it is a very solid choice.

As a second alternative I would recommend still the JVM and its ecosystem, but with the Scala language and Typesafe's platform. It offers an (arguably) better language, the actor model (which may help with high-volume processing), a modern web framework and may be more attractive to developers, but the ecosystem is not as mature as pure Java.

Thanks for the input! I suspected that Java would be a frontrunner.

Scala is really interesting, but I'm concerned about likely having to train every new developer. I know that a powerful tool takes time to learn, but I don't know if we'd have the budget for new devs to be unproductive.

I'm also concerned about tooling. Having really deep IDE integration is a huge productivity boost in other languages like Python. Is Scala still weak in IDE integration?

Scala IDE support has improved a lot. I use IDEA and I have no complains at all, at least for my needs. For instance it is very quick to point out errors and to show the inferred types for expressions, functions and variables. Refactoring such as renaming and extract method work very well.

I mentioned Scala because it could be more attractive (i.e. "sexy") than plain Java, and produce a more clear and concise code base (if used well).

But I agree with you that you'll find many more available and trained Java programmers. If you avoid the old-style, heavy-duty "enterprise" frameworks and stick to a more straightfoward architecure, and perhaps take advantage of Java 8 features, it should be a very good platform to build upon.

When people complain about poor IDE support, they are usually ex-Java developers which are accustomed to pretty much the best IDEs available (every tried writing Java without an IDE? It sucks.).

Scala IDE support is already better than IDE support for most other languages like C++, F#, Haskell, OCaml, JavaScript, Python, Ruby, etc. It can't compete with Java yet, but it is getting there slowly.

In ranked order of preference based on ~10 years experience consulting, with safety being the only criteria: Java, Golang, Python, Ruby, PHP, Perl. Seriously, don't use Perl.

That Golang makes it so high on the list surprises me too, but we really did look at a fair bit of Golang code, and Golang projects (at least the ones that didn't do their own crypto) tended to be dispiriting, because there usually wasn't much to find.

Also: Java's pole position on that list makes some assumptions; for instance, that you're not using a heavyweight framework in the vein of Spring and Struts. All bets are off if you use Spring.

Wait, why do you say all bets are off if you use Spring? Don't banks and most running the Java EE run Spring?
Yes, large financials do tend to run Spring. I'm not sure what that has to do with the safety of the framework. Banks do not as a rule have safer code than other kinds of enterprises.
Is it really that naive to assume that banks have higher security standards than, say, shopping list apps? ;-)
I'm not sure "naive" is the word I'd choose. Let's just say those standards are often aspirational.
My bank's site is SSLv3-only. Banks do the least amount of security they can get away with, because they do not compete on security and they are insured against loss and the customers indirectly pay for the insurance via fees.
My friend works for Accenture. Whenever they've tried to pitch a security project to a company, the company has basically laughed in their faces.

They'd rather have just paid out for a huge loss of data (think Target and Home Depot) rather than put in the money upfront. They thought the upfront money would be greater.

After those aforementioned disasters, things have changed, and Accenture is now (a little bit more) able to sell security projects.

Spring brags about having 1.3 million lines of code. That's a security nightmare right there, and that amount of code is nowhere close to being necessary for a web API. No one person can get a handle on all that code.
I'm seriously considering Go. One of the reasons is that it's very simple, and the other is that I've noticed a lot of the best developers are chomping at the bit to work with it.

When you're trying to draw talented people to your project, it's a lot easier if you're working with something they consider to be a "well-engineered" technology.

If you've been tasked with leading this team... isn't this what you should be doing?

Also, care to let us know what requirements Node fails?

I would go with Golang, type safety means less unexpected errors, strong adoption means easy to find engineers and good ecosystem of libraries.
I'm curious about Golang. Do you believe it already fulfills OP's requisites of "mature ecosystem" and "strong appeal to developers"? Has Go's ecosystem maturity improved significantly (e.g. IDE support, debugging, mature libraries -- how many years old? --, books, courses), and has its adoption approached that of mainstream languages?
Yes I do. Golang is new compared to say Java but it was announced just over 5 years ago which is a fairly long time in the software world. It is backed and used extensively by one of the biggest technology companies in the world exactly for building fast, stable and secure web services which it does very well.

The standard library is extensive and well thought out. There are many libraries available on GitHub and it is easy to import them with `go get`. All of this has caused it to be adopted and well received by developer. While not quite up to par with established and well entrenched languages like C or Java I believe it is climbing at a fast trajectory and has become the go-to language for new startups here in SF right after Node.js, of course enterprise is going to stick to the surefire safe bets in Java.

There is a difference to be noted in that Go is minimal and unlike Java in that it is the convention to prefer using a simple text editor and small libraries rather than rely on an IDE or huge frameworks such as you will find in Javaland.