1. 4

  2. 1

    I have to admit, I’m a bit skeptical about “web security checklists” which don’t even mention OWASP. I’d have other criticisms of the article as well, but I’m not sure it’s worth going through them.

    1. 2

      Overall the checklist seems pretty useful from the “covering your bases” point of view. The major components seem to be covered, but I’m not a security expert. What are your other criticisms, if you don’t mind sharing.

      1. 2

        I wouldn’t say it’s a very high-quality list - seems pretty light on actual details. Not referencing OWASP is a bit of a red flag, because at least in my world, it’s pretty well respected (although out of date on some things).

        Here’s a few specifics, though:

        If you have drunk the MVP cool-aid and believe that you can create a product in one month that is both valuable and secure 

        That’s really not what MVP is about. Creating an MVP without security shouldn’t equal “creating a product”. Also, “MVP cool-aid”? Hmm.

        Use encryption for data identifying users…

        Eh? What? Like user IDs or usernames?

        … and sensitive data like access tokens, email addresses or billing details if possible (this will restrict queries to exact match lookups).

        Encrypt access tokens? And I really don’t understand what is meant by “restrict queries to exact match lookups” in the context of encryption.

        Fully prevent SQL injection by only using SQL prepared statements.

        SQL injection isn’t “fully” prevented by prepared statements, but they do help a lot.

        Implement simple but adequate password rules that encourage users to have long, random passwords.

        Random is really necessary. And even simple rules are frequently prohibitive.

        Consider CAPTCHA on front-end APIs


        While security through obscurity is no protection, using non-standard ports will make it a little bit harder for attackers.

        “While security through obscurity is no protection, do it anyway”.

        Always use AWS IAM roles and not root credentials.

        Unless you’re not using AWS.

        My reply is already long enough, so I’ll stop now. I’ve probably been overly critical, but the initial feeling I had wasn’t too great. It would also have been nice for there to be some links to more details about all of these points - a lot of people aren’t going to know about X-XSS headers, IDSes, etc etc.

        1. 1

          Cool, thanks for elaborating.

      2. 2

        It’s nice to name drop, but I’m not sure OWASP is especially important. I mean, literally, I’m not sure. When I look at it, it now looks like old, well-known vulnerabilities largely made obsolete by better frameworks. But the average developer is probably inexperienced, especially with security issues, and using bad tooling in unsafe ways. I dunno.

        1. 1

          That article you referred to is very specific to Rails. OWASP is language-agnostic. It may be that everybody using Rails is using better frameworks that make issues obsolete - but a lot of the rest of the web isn’t.

        2. 1

          I think checklist can be great for ensuring proper processes are followed, and that the obvious steps are not missed, or done in the wrong order, but I agree that checklists are not a panacea (eg checklists in aviation and healthcare).