Ask HN: What's the hardest thing to secure in a web-app?

7 points by juansgaitan 6 years ago | 7 comments

westurner 6 years ago |

"OWASP Top 10 Most Critical Web Application Security Risks" https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...

> A1:2017-Injection, A2:2017-Broken Authentication, A3:2017-Sensitive Data Exposure, A4:2017-XML External Entities (XXE), A5:2017-Broken Access Control, A6:2017-Security Misconfiguration, A7:2017-Cross-Site Scripting (XSS), A8:2017-Insecure Deserialization, A9:2017-Using Components with Known Vulnerabilities, A10:2017-Insufficient Logging&Monitoring

"OWASP Top 10 compared to SANS CWE 25" https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-s...

fulafel 6 years ago |

Robust confidentiality against traffic analysis is one.

juansgaitan 6 years ago | |

Can you explain what you mean by "confidentiality against traffic analysis"?

fulafel 6 years ago | | |

TA is a tern of art in crypto. It means you can deduce what the parties are communicating and who they are by statistically analysing the sizes, timings and addresses of messages. In practice - it's easy for an eavesdropper to see you are using Gmail, and also possible to deduce whether your email content matches some known messages the eavesdropper possibly has seen before. Etc. One widely known tech that tries to mitigate TA is Tor.

codegladiator 6 years ago |

Do you mean like credit card number ?

juansgaitan 6 years ago | |

Could be. What do we need to ensure credit card number security for example?

cableshaft 6 years ago | | |

Don't ask for one is by far the best way.

If you absolutely need to do credit card payments, then consider using a third party system to handle it (like Stripe).