Ask HN: Best stack for secure API?
I'm soon going to be leading a large team developing a highly-secure, high-volume web API. What stack should we use? Please give concrete reasons, preferably from extensive personal experience.
The best stack for the job needs bulletproof cryptography, a mature ecosystem, and strong appeal to developers. It also needs to be difficult to introduce errors while coding quickly.
It doesn't matter how good I am personally with the stack, which is why I'm asking for input.
(And don't say Node, because it fails almost all requirements...)
18 comments
[ 4.0 ms ] story [ 44.3 ms ] threadAs a second alternative I would recommend still the JVM and its ecosystem, but with the Scala language and Typesafe's platform. It offers an (arguably) better language, the actor model (which may help with high-volume processing), a modern web framework and may be more attractive to developers, but the ecosystem is not as mature as pure Java.
Scala is really interesting, but I'm concerned about likely having to train every new developer. I know that a powerful tool takes time to learn, but I don't know if we'd have the budget for new devs to be unproductive.
I'm also concerned about tooling. Having really deep IDE integration is a huge productivity boost in other languages like Python. Is Scala still weak in IDE integration?
I mentioned Scala because it could be more attractive (i.e. "sexy") than plain Java, and produce a more clear and concise code base (if used well).
But I agree with you that you'll find many more available and trained Java programmers. If you avoid the old-style, heavy-duty "enterprise" frameworks and stick to a more straightfoward architecure, and perhaps take advantage of Java 8 features, it should be a very good platform to build upon.
Scala IDE support is already better than IDE support for most other languages like C++, F#, Haskell, OCaml, JavaScript, Python, Ruby, etc. It can't compete with Java yet, but it is getting there slowly.
That Golang makes it so high on the list surprises me too, but we really did look at a fair bit of Golang code, and Golang projects (at least the ones that didn't do their own crypto) tended to be dispiriting, because there usually wasn't much to find.
Also: Java's pole position on that list makes some assumptions; for instance, that you're not using a heavyweight framework in the vein of Spring and Struts. All bets are off if you use Spring.
They'd rather have just paid out for a huge loss of data (think Target and Home Depot) rather than put in the money upfront. They thought the upfront money would be greater.
After those aforementioned disasters, things have changed, and Accenture is now (a little bit more) able to sell security projects.
When you're trying to draw talented people to your project, it's a lot easier if you're working with something they consider to be a "well-engineered" technology.
Also, care to let us know what requirements Node fails?
The standard library is extensive and well thought out. There are many libraries available on GitHub and it is easy to import them with `go get`. All of this has caused it to be adopted and well received by developer. While not quite up to par with established and well entrenched languages like C or Java I believe it is climbing at a fast trajectory and has become the go-to language for new startups here in SF right after Node.js, of course enterprise is going to stick to the surefire safe bets in Java.
There is a difference to be noted in that Go is minimal and unlike Java in that it is the convention to prefer using a simple text editor and small libraries rather than rely on an IDE or huge frameworks such as you will find in Javaland.