

Ask HN: Best stack for secure API? - smt88

I&#x27;m soon going to be leading a large team developing a highly-secure, high-volume web API. What stack should we use? Please give concrete reasons, preferably from extensive personal experience.<p>The best stack for the job needs bulletproof cryptography, a mature ecosystem, and strong appeal to developers. It also needs to be difficult to introduce errors while coding quickly.<p>It doesn&#x27;t matter how good I am personally with the stack, which is why I&#x27;m asking for input.<p>(And don&#x27;t say Node, because it fails almost all requirements...)
======
tptacek
In ranked order of preference based on ~10 years experience consulting, with
safety being the only criteria: Java, Golang, Python, Ruby, PHP, Perl.
Seriously, don't use Perl.

That Golang makes it so high on the list surprises me too, but we really did
look at a fair bit of Golang code, and Golang projects (at least the ones that
didn't do their own crypto) tended to be dispiriting, because there usually
wasn't much to find.

Also: Java's pole position on that list makes some assumptions; for instance,
that you're not using a heavyweight framework in the vein of Spring and
Struts. All bets are off if you use Spring.

~~~
infinitone
Wait, why do you say all bets are off if you use Spring? Don't banks and most
running the Java EE run Spring?

~~~
tptacek
Yes, large financials do tend to run Spring. I'm not sure what that has to do
with the safety of the framework. Banks do not as a rule have safer code than
other kinds of enterprises.

~~~
cpach
Is it really _that_ naive to assume that banks have higher security standards
than, say, shopping list apps? ;-)

~~~
tptacek
I'm not sure "naive" is the word I'd choose. Let's just say those standards
are often aspirational.

~~~
cpach
:)

------
facorreia
I would recommend the Java language and platform. It's as mature as it gets,
has strong crypto libraries, is quite popular (especially in banking, which I
believe is the target domain) and has adequate type safety and static checking
features. For a high-volume web service API I would recommend the Dropwizard
framework. It may not be as sexy as, say, Node, but it is a very solid choice.

As a second alternative I would recommend still the JVM and its ecosystem, but
with the Scala language and Typesafe's platform. It offers an (arguably)
better language, the actor model (which may help with high-volume processing),
a modern web framework and may be more attractive to developers, but the
ecosystem is not as mature as pure Java.

~~~
smt88
Thanks for the input! I suspected that Java would be a frontrunner.

Scala is really interesting, but I'm concerned about likely having to train
every new developer. I know that a powerful tool takes time to learn, but I
don't know if we'd have the budget for new devs to be unproductive.

I'm also concerned about tooling. Having really deep IDE integration is a huge
productivity boost in other languages like Python. Is Scala still weak in IDE
integration?

~~~
frowaway001
When people complain about poor IDE support, they are usually ex-Java
developers which are accustomed to pretty much the best IDEs available (every
tried writing Java without an IDE? It sucks.).

Scala IDE support is already better than IDE support for most other languages
like C++, F#, Haskell, OCaml, JavaScript, Python, Ruby, etc. It can't compete
with Java yet, but it is getting there slowly.

------
anonfunction
I would go with Golang, type safety means less unexpected errors, strong
adoption means easy to find engineers and good ecosystem of libraries.

~~~
facorreia
I'm curious about Golang. Do you believe it already fulfills OP's requisites
of "mature ecosystem" and "strong appeal to developers"? Has Go's ecosystem
maturity improved significantly (e.g. IDE support, debugging, mature libraries
-- how many years old? --, books, courses), and has its adoption approached
that of mainstream languages?

~~~
anonfunction
Yes I do. Golang is new compared to say Java but it was announced just over 5
years ago which is a fairly long time in the software world. It is backed and
used extensively by one of the biggest technology companies in the world
exactly for building fast, stable and secure web services which it does very
well.

The standard library is extensive and well thought out. There are many
libraries available on GitHub and it is easy to import them with `go get`. All
of this has caused it to be adopted and well received by developer. While not
quite up to par with established and well entrenched languages like C or Java
I believe it is climbing at a fast trajectory and has become the go-to
language for new startups here in SF right after Node.js, of course enterprise
is going to stick to the surefire safe bets in Java.

There is a difference to be noted in that Go is minimal and unlike Java in
that it is the convention to prefer using a simple text editor and small
libraries rather than rely on an IDE or huge frameworks such as you will find
in Javaland.

------
notduncansmith
If you've been tasked with leading this team... isn't this what you should be
doing?

Also, care to let us know what requirements Node fails?

