
Ask HN: How can I learn to secure my application infrastructure against attacks? - grepthisab
I created an app a year ago, web app. Store lots of customer information. Traditional front end in React, Express middle, and a database server type of layout. I am not a security person but believe I generally follow best practices with regard to things like MFA&#x2F;password policies&#x2F;etc.<p>However, I am worried that there are things I am missing that will subject me to data breach and loss of customer data. How do I learn to secure my app? Is there a checklist of best practices? Not really sure where to start outside of making sure everything is always patched and updated and following sane password&#x2F;authentication schemes.<p>Maybe there&#x27;s a good book on the subject?
======
jvehent
> Maybe there's a good book on the subject?

Shameless plug: I wrote a book exactly on this topic, and you're my target
audience, so hopefully it answers a bunch of your questions.
[https://www.manning.com/books/securing-
devops](https://www.manning.com/books/securing-devops)

And I'm genuinely interested to know if you find it useful. Feel free to reach
out!

------
ramtatatam
Some will argue about usefulness of CISSP certificate but I'd say the prep
guides are definitely good source of solid foundations in terms of recognised
good practices.

------
mtmail
For express.js have a look at
[https://www.npmjs.com/package/helmet](https://www.npmjs.com/package/helmet)

------
ivanr
It's a tricky question, and I've spent years of my life trying to answer it.
Hey, I am a security person and a developer and I don't always trust myself to
do the right thing. No matter how much time I spend educating myself, there's
_always_ something I still need to learn.

At the operating system level, the bare minimum is run only the services you
need, have a firewall that refuses unwanted traffic, and to patch regularly.
If you can, automatically apply security patches.

In terms of application security, in the ideal case you will have a budget
that allows you to hire professionals to take a look at your systems, both
from the inside and the outside. Simplifying, internal reviews usually try to
answer the question "is this correctly built", whereas external reviews
usually focus on "can we get in".

If you don't have a budget (as many small operations don't), I'd recommend the
following approach:

1) Make sure you fully understand XSS and SQL injection vulnerabilities. These
two are usually responsible for the majority of security issues in
applications. The latter can easily lead to full data loss. Understanding them
is not easy, but it's manageable. Once you know enough, make sure your
applications are not vulnerable. CSRF is something that you should look into,
also.

2) Security is not something developers can ignore, so allocate some time
every week to learn something new. Even though this is a never-ending task,
after a couple of months (and years) you will be much better off.

3) Continuously run entry-level scans against your application, for example
using OWASP ZAP
[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Proje...](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)
This should help you avoid the obvious problems. They have a Docker image and
something they call a "passive scan", which addresses low-hanging fruit.

4) Harden your application, applying all modern security standards that make
sense. I've decided that this is where people should focus their efforts
first. An application that utilises a good number of standards is robust and
can resist exploitation even when vulnerable. (Anecdote: the number of
vulnerability reports dropped dramatically after Mozilla deployed CSP.) This
step can be tricky, too, because there are so many standards and many ways to
misconfigure them. My earlier work (SSL Labs,
[https://www.ssllabs.com](https://www.ssllabs.com)) focused on encryption and
certificates. My current project (Hardenize,
[https://www.hardenize.com](https://www.hardenize.com)) focuses on a wide
range of security standards, starting from DNS (and DNSSEC/DANE/CAA, etc),
over email, TLS, and to application security (e.g., CSP, cookies, mixed
content, SRI, etc). The idea with Hardenize is especially to help people who
don't have the budget but nevertheless want to stay informed and do as best as
they can, security-wise.

