I know what OWASP is by now but I find it too vague how perform the task of checking if an app (made of React and Node) is OWASP proof. I read about the top 10 security risks and I would like to know if there is any step-by-step guide or some software that would help me catching any weaknesses. Any reference to a developer story where this check is done would be appreciated.
There's tools like vulnerability scanners or package security scanners etc which will do some sort of automation on this. But in general, there isn't and there can't be any program which can tell you whether a given program has any or all of the top 10 security risks. Or, any general property you might want.
So automatic tools are a good idea, and there's a bunch of hosted and easy to use ones. But being aware of the code and what it does, as an engineer, is the most important thing.
The OWASP top 10 does not aim to be a standard, please read the Introduction of the document carefully. Building a good, secure software is hard - the top 10 is a good start, but you should always remember that it's only a start. Building a good, secure development lifecycle is what you're aiming for, and for that projects like OWASP SAMM or OWASP ASVS could help with. If you have a security team at your work - reach out to them and ask for help. If you don't have - me and so many other at the AppSec community would love to help you started.
Related
Where I stand: I am a junior in college. I have a solid background in Java and C++. I've been coding websites in JavaScript, HTML, CSS, and PHP (using MySql databases) since middle school. I have only just uncovered the magical box filled with these mysterious "frameworks."
My Predicament: After reading in my spare time wikis, blogs, and StackOverflow questions week after week for the past few months, I feel that I am no closer to understanding the items in this ominous list and how they relate to one another.
Yeoman, Grunt, Linemanjs, Bower
Nodejs, Go, PHP
Mongodb, Couchdb, MySql
Angularjs, Ember, Backbone
Terms like: boilerplate, scaffolding, frameworks, etc...
What I am asking: I understand that explaining any one of the above would be a question too big for a single Stack Overflow question, but that's not what I'm looking for. What I am looking for is a guide that explains in-depth what each of these groups are used for and if/how they can be combined (ex: using Angularjs with Nodejs). I am happy with a link if an article already exists, but I have yet to find an article that covers all of the above.
El Fin: I love learning new languages (especially for the web), but right now I feel like I'm blinded, running around in circles like a chicken with its head cut off. A shove in the right direction would be great :)
I'll put this in as an answer to help clarify why this is too broad.
I think that the GREAT BIG point you are missing is that there are specific reasons someone chooses a particular framework or server environment when they start a project.
This is all dependent of a boatload of things that like budget, knowledge, availability, expected scope of the project, etc... It also may come down to, "I'm starting this new project, what is available in this work environment for me to use?"
Then you don't really get to choose. You get what you get.
So what's the best package of technologies to use? That SO depends on what you're doing.
Example: If you are building a simple site for a local store that just needs a few pages, and you want to keep your costs low. A simple LAMP solution would work fine. But if you want to design the next Facebook, even though the core of the system could be build using all LAMP (and it in fact IS), you will need MUCH more powerful servers, and MUCH better and more efficient coding. Not to mention a boatload of server space for both the site AND the database.
In many cases, when you see people pooling together what might be considered obscure technologies, all they really break down to are collections of libraries. It's like choosing JQuery over some other JS library that essentially does the same thing. One may be better than the other. But you go with what you are comfortable with.
So, when you are asking about how, why, and in which way, do people combine technologies together, there is no way to answer that at all. Other than to say, it's specific to their needs. And that's about it.
Reading articles that compare all these different things together will only give you an idea of what they are capable of, and what their limitations are. In the end, it's always a matter of opinion what is better. Otherwise we would all be coding with the same thing.
For my part, I prefer PHP over ASP. I prefer working straight out of a text editor than using an IDE or any MVC framework. I use jQuery where it's needed, but don't over use it.
But that's just me.
And I'm sure this still didn't answer your question.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I've been lurking around for several weeks and have been totally blown away by the amount of information and how the community quickly responds. I have noticed that questions like this typically receive sarcastic remarks and sometimes get down voted. Please bear with me as I attempt my first post :)
I little background..
I work at a tiny software company as the "QA department". Our application has a MS SQL back to store customer data and short term loan information for financial service companies. I started working here 6 years ago as a gernal technician to provide support for their call center, so I've been overly exposed to SQL and have become fairly familiar with working with it. You probably wouldn't pay me to develop a enterprise level database, but at this point I've become familiar enough to do most things in SQL.
Why I'm asking my question..
I want to develop an application to store and track our software issues and new dev. I've done research on this website along with asking around and I still feel sort of lost as to which direction I should take. I want the core of the application to be pretty basic at first, to provide various screens between my entities/modules and to create reports to show their various relationships. In the future I want it to be more complex, to provide a web portal of some sort and to start getting into various complex QA software concepts. I've read around and it sounds like I might want some variation of C/VB for the windows portion, but all of the topics have sort of overwhelmed me. Do I want to start with a more basic one that was created 20 or 30 years ago? (I think that's C and C++, right?) or a more recent one like C#? Will I be able to develop a web portal with both of these? (by web portal I'm thinking it would provide access to our database of defects and have username/password sign-in). I've seen that the various .NET languages lean more towards web development, should I start with one of these?
I am at the very beginning of this and I fully understand that I'm jumping into some deep waters here. I want to make sure I don't end up spinning my wheels and that I focus my energy on something that won't end up being a bad idea in 1 or 2 years after I start. So far I've found this website very helpful, if I can pick a direction I know I won't have any problems finding what the next step is. It might help to know that I have no formal or informal programming background (if it wasn't obvious). I'm a 27yo techie who is starting his first venture into programming, go easy on me! Thanks for taking the time to read this :)
I won't recommend that you go to C, C++, or VB. C and C++ are used mainly for developement of system software, compilers, etc. VB is deprecated by now; there is a .net version VB.NET, but my preference is C#.
Looks like you are a Microsoft shop. Steer youself towards using C#. Visual Studio provides great support for development of Web Applications with support for holding state in entities backed by MS SQL.
I would start with a simple example as given in MSDN http://msdn.microsoft.com/en-us/library/dd410597.aspx.
This example uses an Model View Controller based framework that is fairly easy to configure and use. They have great examples.
There is a free framework that also supports MS SQL Entity store http://www.coderun.com/ide/
Enjoy
Don't write a line of code. There are literally hundreds of open source and commercial software packages that already do what you want to do. You'd be better of spending time researching them and finding the package that most closely meets your requirements. A good solution will also be extensible enough that you'll be able to modify it to meet all of your requirements.
Since you work for a small company I can guarantee you that using your limited development hours "writing your own" will be counterproductive. You'd be better off adopting something off the shelf and becoming proficient at it. You'll learn more about developing systems like this once you've become intimately familiar with one of them.
Check out JIRA or
http://en.wikipedia.org/wiki/Comparison_of_issue_tracking_systems for some other ideas.
For the benefit of your company I would recommend to use an existing
solution. But if you want to learn and build something of your own, I
would suggest that you check out some popular web application
frameworks, like:
Django
Ruby On Rails
Zend
Good Luck with your project!
Given that your intent is to learn and create something yourself I think you should consider a LAMP stack and PHP with one of the PHP frameworks on top (Cake PHP, code-igniter or the like).
The C++ route is a long hard way (C++ is my language of choice) to learn; as a learning experience I think you will get quicker and more satisfying results with PHP.
I also think that this is a realistic project for someone of your skills over a period of a 6 to 12 months - start with a simple requirement and then build it up to have all the features you need.
If you just want a bug tracking system obviously there are many options that won't demand any development.
How much experience do you have with things like installing Linux, Apache, Mysql, etc? If you are completely new to this, then this will be a much tougher task, because there are many layers you'll have to learn before you can even get to the point of writing an end-to-end application.
I would avoid C/C++/C# because there are a lot of things you would need to learn about basic programming before you even got to the stage where you could make database calls.
On the assumption that you don't have experience with LAMP (Linux/Apache/Mysql/(Perl/Python/PHP)), my suggestion would be to start simply, by using a scripting language like Python or Perl. You can very easily get a database connection, and start writing queries, and extracting data from there. If you are used to Windows, I would install ActivePerl or ActivePython, and start from there. You can start building a command line program that does what you want, and then from there, you can move on to creating a web application that can do something similar.
Building a web application would likely be much easier than writing a Windows application, so after you have gotten comfortable with the scripting language, that's the direction I would go afterwards.
Good luck!
I am planning to develop one website which should have following features
Database integration
online payment system
forum
I need suggestion for my following questions before I will proceed to develop my site.
Is there any any single development tool which can provide me one webserver + mysql database + user login + java-script support + webpage design + online payment system and forum and easy site maintenance ?
What best practice to start development of this type of project?
How much effort it need to maintain this type of project?
"database integration" isn't really a feature - it's the tool you use to deliver your features. A feature might be a shopping cart, or a product catalogue, or a structured navigation system, etc.
In order to talk to a database, you almost certainly need some back-end code to be running, and you need to be able to program.
Yes, there are frameworks/tools that accelerate this, but you do need to invest at least in the basics of learning how to code.
Alternatively, if what you really want is to build an online shop, sign up for a "software as a service" offering where all you have to do is configure the product.
Sounds like you could use a framework to do your project with. Take a look at http://www.drupal.org.
If you're including an online payment system then you need to ensure that it's high quality, developed by people who know how to properly secure such a system. You should also be looking for a solution that handles pretty much everything you need it to do or that allows you to plug in modules for additional functionality rather than modifying solid code. There are so many ways for a developer to foul up even the best designed system that it's best to just leave it alone unless you're fully up-to-speed on secure coding guidelines.
IF what you really need is a way to sell things, and content to manage, then what you're looking for is a shopping cart with content management capabilities. There are plenty of good ones out there, and you should Google them. We went with the AspDotnetStorefront because it suited our needs, and was PACB certified, but there are plenty of others out there. Shop around if this is the type of thing you're looking for.
That said, you can get a good framework that has shopping cart options, and also the ability to add/modify modules to provide functionality with DotNetNuke. There are a wide variety of pre-existing modules to choose from as well. And you certainly can't beat the price on the free version. Developing for it takes some getting used to (there's a learning code even for experienced .NET developers) but it's pretty flexible.
Edit - I realize I'm only offering .NET suggestions, but you didn't mention what development tools/language you are comfortable with, so I'm mentioning the ones I've worked with. There are good (some arguably better, some arguably worse) Java and PHP equivalents to the suggestions I'm offering as well.
now we are working in one project.in that project we choosed HTML5 and CSS3 designed. but still we have confuse on server side scripting, whether php,ruby,python,scala,and more and more..our requirements is nothing but
SERVER SCRIPTING LANGUAGE:our server side scripting language is secure and more helpfull(ease of development,security,maintenance) in anystage. can you please suggest me which is good at present(21-10-10)? sorry if this question is make argument...
and can you say which is current trend in web development language...not ask about which language...but which trend(first functional programming to oops concepts...is still oops concepts or we switched to any recent trend? )
and i heard by using proper oops class structure with any language we can enhance security? is it true?
i searched lot and lot more than 1 week. but still confuse...
DATABASE: still confuse on which data base is best for us?
sorry to everyone if my question make hurt or make more discussion? and thanks to everyone...
It depends on the complexity of applications, performance requirements, target audience (corporate intranet, internet,...) and budget.
If you can give more details on these then you might get a better suited answer and not a very general one (like this)
And more importantly in which technology you and your team are comfortable with. A Java project and PHP project's success, in completion and performance is more on the team's experience and expertise than on the language itself, to a great extent.
See also these questions: (php vs python) scalability, PHP and Java performance and scalability comparison, and this article by Joel.
Ok, you asked about security:
It is the application architecture and code that decides security at the end of the day, not the language itself.
OOP is a nice paragdim to code, makes developemnt and maintenance (arguably)easier, but end of the day, it is how you implement it, what your architecture is, and how good you coding practices are.
OOP alone will not make your site secure. Nor will the use of any particular language or OS or framework. Only good practices will help you, and most of those apply regardless of paradigm, language, or platform.
As for language popularity, PHP, Python, and Ruby (on Rails) seem pretty popular. As do .net languages, particularly C#. Don't mistake "popular" for "good" or especially "secure", though -- you need to evaluate the languages for yourself, and don't trust what some random geek on the intarwebz tells you, as we're not the ones who'll have to build stuff with it. And above all, follow the best practices for the language/framework you choose, or any benefits it claims to offer will likely be null and void.
I'm going to write a rather big/complex WinForm application such as Paint.NET, SharpDevelop, etc. I think one of the most important things to build such an application is to structure the project properly to increase maintainability and control the complexity.
So what kind of patterns or practices show I use? Any blog posts, papers, open source projects are welcomed. I'm trying to learn something from SharpDevelop but it's rather huge for me to step into.
PS: I'm an experienced programmer formerly targeting to web developement(asp.net, rails, etc.). So I know some design principles and how to use them when implement business logics. Maybe I really need now is a sample to get started with a WinForm application so that I can realize how to handle the menus, controls and others. I've learnt something about the MVP pattern but still unconfident to start a large/complex application.
For big projects the methodology and the tools you are using are equally as important as the architectural design. You need to set up a source control system (like SVN) from day one. Also, it is very good to have a standard build procedure and perform builds in a daily basis. The build procedure should include running all tests, which you should also put some effort in implementing from the start.
Regarding the structure, I believe the single most important thing is to divide your project into building blocks with mimimal dependecies on each other. This way you will be able to think about one small part of the system at the same time and not have to face the full complexity of it. It will also help delegate some work to a fellow programmer, if you have this chance.
In order to get started, I recommend that you implement first something minimal as quick as possible. Then work to make it better and add functionality. This will keep you motivated as you will have something concrete to work with. It will also help you identify major design flaws and important issues early enough to correct them.
This is a good beginners guide from Microsoft itself:
http://msdn.microsoft.com/en-us/beginner/default.aspx
check the Windows track there.
After mastering basics - and since you are an experienced developer - you can check this book "patterns & practices Application Architecture Guide 2.0" from Microsoft also.
I would imagine that many of the techniques that make for successful web projects will translate to Winforms projects. Start small and grow the application incrementally. Try to keep the entire application building/working while you add features one at a time.