I'm preparing a talk titled "The AppSec Poverty Line" to discuss the bare minimum security measures that need to be in place before launching an app online. I want to focus on situations where the company doesn't have a security team or budget, and this is their first product. Here's my current list of essentials:
* Input validation
* Output Encoding
* Parameterized Queries
* Using new frameworks and languages instead of older ones
* Logging and monitoring
* Secure authentication and session management
* Proper dependency management (avoid bad dependencies)
* Transferring payment risk to third parties
* Implementing HTTPS
* Passing a basic DAST scan
* Doing a simple threat modeling framework
* Conducting a mini risk rating
* Allowing users to report issues (like a Security.txt and contact email)
I'm curious if I'm missing anything critical that doesn't require spending money, just time. I know some aspects like monitoring and third-party payment management can incur costs, so I'm looking for purely foundational advice!
5 Answers
Starting out with static pages is definitely the simplest and most secure option. If your app has to be dynamic, just make sure you’re implementing the basics correctly. But simplicity is key at the start!
It's not just having the right practices in place; it’s also all about how you implement them. Even with prepared statements, you're still at risk if edge cases arise. Also, new frameworks aren’t a guarantee of security; thorough testing and actively searching for flaws in your own code are critical.
It’s also important to think about ingress security measures, like DDoS protections and a Web Application Firewall (WAF), especially since your app will be publicly accessible. And remember, hashing and salting passwords go a long way in keeping user data safe!
Definitely align with the OWASP Top 10! Also, it's crucial not to hardcode sensitive keys anywhere. I’ve seen too many projects where that leads to disaster.
You should also prioritize personal security training for employees to avoid common pitfalls like phishing. Implementing Multi-Factor Authentication (MFA) and minimizing exposed resources can really boost your security without heavy lifting on the budget.
That’s a solid point! Static pages can be very secure, but if you need more dynamic functionality, you should be careful about secure coding practices.