
Ask HN: Is there any site outlining the key security concerns for web apps? - eelliott
Reading the while(1) thread I got wondering if there is any reliable site that outlines the key security issues web developers should know about?
======
amk_
\- [https://cto-security-checklist.sqreen.io/](https://cto-security-
checklist.sqreen.io/)

\- [https://github.com/FallibleInc/security-guide-for-
developers...](https://github.com/FallibleInc/security-guide-for-
developers/blob/master/security-checklist.md)

And there are more that have been posted here:
[https://hn.algolia.com/?query=security%20checklist&sort=byPo...](https://hn.algolia.com/?query=security%20checklist&sort=byPopularity&prefix&page=0&dateRange=all&type=story)

------
detaro
[https://www.owasp.org](https://www.owasp.org)

~~~
eelliott
Thanks but that doesn't really cut through the noise. It's not really for
dummies, it would be nice if there was a good UI site with simple explanations
and solutions. I'm sure this will be decried as trying to simplify something
which can't/shouldn't be simplified but it seems otherwise web developers
largely stay ignorant

~~~
detaro
have you seen their Top 10 lists and other cheat sheets?
[https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet](https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet)

They're not necessarily great at explaining the issues, but they cover what to
do quite extensively.

~~~
eelliott
Thanks that does seem helpful, it could be improved by explaining the
background to each of the 10

~~~
fosco
there is considerable information behind each item for example A1 has its own
link [0] describing much in detail. there is an incredible wealth of
information there if you poke around a little, I suspect it has everything you
are looking to learn.

[0]
[https://www.owasp.org/index.php/Top_10_2013-A1-Injection](https://www.owasp.org/index.php/Top_10_2013-A1-Injection)

------
sharmi
A practical security guide for web developers | Hacker News
[https://news.ycombinator.com/item?id=12140477](https://news.ycombinator.com/item?id=12140477)
DevGuide/02-Policies, Standards and Guidelines.md at master Â· OWASP/DevGuide
[https://github.com/OWASP/DevGuide/blob/master/01-Foundations...](https://github.com/OWASP/DevGuide/blob/master/01-Foundations/02-Policies%2C%20Standards%20and%20Guidelines.md)
Security Engineering - A Guide to Building Dependable Distributed Systems
[http://www.cl.cam.ac.uk/~rja14/book.html](http://www.cl.cam.ac.uk/~rja14/book.html)
Wiley: The Web Application Hacker's Handbook: Finding and Exploiting Security
Flaws, 2nd Edition - Dafydd Stuttard, Marcus Pinto
[http://as.wiley.com/WileyCDA/WileyTitle/productCd-1118026470...](http://as.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
LastPass Security Notice | Hacker News
[https://news.ycombinator.com/item?id=9721212](https://news.ycombinator.com/item?id=9721212)
LastPass Security Notice | The LastPass Blog
[https://blog.lastpass.com/2015/06/lastpass-security-
notice.h...](https://blog.lastpass.com/2015/06/lastpass-security-notice.html/)
Linux workstation security checklist | Hacker News
[https://news.ycombinator.com/item?id=10134009](https://news.ycombinator.com/item?id=10134009)
KeePass â€“ questionable security | Hacker News
[https://news.ycombinator.com/item?id=9727297](https://news.ycombinator.com/item?id=9727297)
SJCL â€“ Stanford JavaScript Crypto Library | Hacker News
[https://news.ycombinator.com/item?id=13820722](https://news.ycombinator.com/item?id=13820722)
System design primer
[https://news.ycombinator.com/item?id=13823979](https://news.ycombinator.com/item?id=13823979)
wordpress stripe plugins. how secure are they? The Netflix Tech Blog: Netflix
Security Monkey on Google Cloud Platform
[http://techblog.netflix.com/2017/03/netflix-security-
monkey-...](http://techblog.netflix.com/2017/03/netflix-security-monkey-on-
google-cloud.html) Quick Start Guide â€” security_monkey 0.6.0 documentation
[https://securitymonkey.readthedocs.io/en/latest/quickstart.h...](https://securitymonkey.readthedocs.io/en/latest/quickstart.html#gcp-
configuration)
[https://news.ycombinator.com/item?id=13862253](https://news.ycombinator.com/item?id=13862253)
Try to get CS 161 University of Berkerly - Highly recommended esp Prof Wagnor
or Prof Weaver [http://www-inst.cs.berkeley.edu/~cs161/sp16/](http://www-
inst.cs.berkeley.edu/~cs161/sp16/) Laptop security
[https://news.ycombinator.com/item?id=13854625](https://news.ycombinator.com/item?id=13854625)
[https://www.oreilly.com/ideas/jessy-irwin-on-making-
security...](https://www.oreilly.com/ideas/jessy-irwin-on-making-security-
understandable-for-everyone)

I am sick today. So I couldn't sort the links or format them. Hope it helps
you.

