

Ask HN: Where to start learning security for consumer Internet products? - svjunkie

I'm considering designing a consumer internet product, but don't know the first thing about security.  I'd like to avoid compromising my users' data, so if you can point me in the right direction I'd greatly appreciate it.  Thanks!
======
patio11
This is a very, very deep topic.

Everything I know about web vulnerabilities in a sentence: User input cannot
be trusted. Do I have room for two sentences? Assume every string in the
application is user input unless you've got provable chain of custody back to
God Almighty, who is the only entity I would trust to handle whitelisting
correctly.

There is a regularly published list of the most common web vulnerabilities.
Most have had well-understood fixes for years or decades, and will have much
better developers than you or I shoot themselves in the foot today.

<http://www.owasp.org/index.php/Top_10_2007>

Happily, you can pick some of this up as you go along, because insecure web
applications (three words which could be two words without compromising
informational content) can still produce meaningful business results. Don't
let this be the reason you don't write something, unless something is nuclear
power plant control software or the like.

~~~
svjunkie
Thanks for the response! My question actually stems from your blog post on
zero-day Diaspora exploits and I appreciate the input. Guess I'll start with
the obvious stuff and learn from mistakes as I go along.

------
percept
[http://stackoverflow.com/questions/72394/what-should-a-
devel...](http://stackoverflow.com/questions/72394/what-should-a-developer-
know-before-building-a-public-web-site)

------
andrewtbham
here is a short list of topics that are helpful to understand:

threat modeling/analysis, cross site scripting, sql injection, session
hijacking, database security/permissions, firewalls, intrusion detection,
keeping system software up to date.

------
andrewtbham
it is a big topic. it might help if you specified what platform/languages you
are using.

