1. -2

  2. 2

    These kinds of marketing posts seem to do better on Lobsters than on that other site. This one is by an appsec monitoring company, and employs the time honored tradition of making a top-10 list that sneakily embeds their product into it. I’ll save you a read: their list, annotated:

    1. Follow the OWASP Top Ten. If it’s 2006, you might have a decent shot at covering what a smart tester will find just by working from the OWASP list. But it’s 2017. “OWASP Top 10” is a sort of useful shorthand in the trade for “all the different web app bugs, not all of which are captured in the OWASP Top 10, but at least you know that I’m talking about SQL Injection type stuff rather than use-after-free vulnerabilities”.

    2. Get An Appsec Audit. Sure? A good audit is going to cost between $15,000 and $25,000. If you pick the wrong vendor (and there are lots of wrong vendors to pick), you get to spend that money for basically nothing. How often are you doing audits and how much does your app change in those intervals?

    3. Implement Proper Logging. Okay.

    4. Use Real-Time Security Monitoring and Protection or Web Application Firewalls. If it’s me, writing this marketing piece, I probably don’t lump my product in with WAFs, which are not an especially well-regarded product category.

    5. Encrypt Everything. Missing practice: how to effectively encrypt anything so that a single game-over bug on your server doesn’t moot all the “encryption”.

    6. Harden Everything. This step is the “???” between “collect underpants” and “profit”.

    7. Keep Something Up To Date.

    8. Keep Something Else Up To Date.

    9. Know When To Keep Things Up To Date.

    10. Never Stop Believing In Yourself.

    1. 4

      Maybe the admins should take a look at the account that submitted this? It’s submitted 30 stories, of which 21 were from blog.sqreen.io, and 9 from blog.codacy.com, most of them of this listicle-ad style. No lobste.rs comments, just those submissions. Few of the posts actually got any upvotes, but it still seems like a source of spam/noise.

      1. 2

        These kinds of marketing posts seem to do better on Lobsters than on that other site.

        The smaller community size means it takes much much less to reach the front page. That has its upsides (lower barrier to participating meaningfully) and downsides (vulnerability to spam like this).

        People also tend to assume good faith. See this post in particular which was one of the last of what turned out to be an auto-posting bot.