Ask HN: What's the hardest thing to secure in a web-app? - juansgaitan
======
westurner
"OWASP Top 10 Most Critical Web Application Security Risks"
[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)

> _A1:2017-Injection, A2:2017-Broken Authentication, A3:2017-Sensitive Data
> Exposure, A4:2017-XML External Entities (XXE), A5:2017-Broken Access
> Control, A6:2017-Security Misconfiguration, A7:2017-Cross-Site Scripting
> (XSS), A8:2017-Insecure Deserialization, A9:2017-Using Components with Known
> Vulnerabilities, A10:2017-Insufficient Logging &Monitoring_

"OWASP Top 10 compared to SANS CWE 25"
[https://www.templarbit.com/blog/2018/02/08/owasp-
top-10-vs-s...](https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-
sans-cwe-25/)

------
fulafel
Robust confidentiality against traffic analysis is one.

~~~
juansgaitan
Can you explain what you mean by "confidentiality against traffic analysis"?

~~~
fulafel
TA is a tern of art in crypto. It means you can deduce what the parties are
communicating and who they are by statistically analysing the sizes, timings
and addresses of messages. In practice - it's easy for an eavesdropper to see
you are using Gmail, and also possible to deduce whether your email content
matches some known messages the eavesdropper possibly has seen before. Etc.
One widely known tech that tries to mitigate TA is Tor.

------
codegladiator
Do you mean like credit card number ?

~~~
juansgaitan
Could be. What do we need to ensure credit card number security for example?

~~~
cableshaft
Don't ask for one is by far the best way.

If you absolutely need to do credit card payments, then consider using a third
party system to handle it (like Stripe).

