Hacker News new | past | comments | ask | show | jobs | submit login

An angle that sometimes helps is reframing security as (business) validation and introducing proper type modeling.

The best thing anybody can do for this is making apis that make `unrepresentable` unsafe things.

` A classic is password length. Instead of `login(user:str, pwd:str)`, do `login(user:NotEmptyStr, pwd:ValidPwd)`.

This is stuff that must be done in the lower layers, to take advantage of how lazy people is. Do it for the most popular libraries and frameworks and we are talking about real impact.




Is the idea that the attacker is brute forcing the login method and they are less likely to be successful if the input must be passed in an unexpected format?


Types where the constructor takes care of the rules and aborts if you pass it something stupid (like an empty string for a user name).


This is a bit of a stretch, but I'm willing to entertain the idea if you could toss me a link or two to more in-depth write ups on the topic




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: