First off, there are countless attack vectors, any software is potentially vulnerable. There are non-technical phishing attacks, attacks on your hardware \/ bios \/ OS, attacks over the internet, etc, along with multiple layers of \u201csecurity\u201d to be applied at every step. Some simple strategies to protect against these attack vectors are obvious, such as only depending software that is not known to have vulnerabilities, updating modules to get bug fixes, etc. Testing for XSS<\/a> vulnerabilities anywhere a user can input. Firewalls<\/a>. Password encryption<\/a>. Fuzzing<\/a>. Bug bounties<\/a>. What next? There are hundreds of things you can do, how do you know which ones are enough?<\/p>\n Second, a codebase often has many entry points, more than can be enumerated and more than can be tested. Combining all potential vectors with all potential weaknesses gives a threat agent so many resources and strategies that if someone wants to hack you, it is only a matter of time<\/a>. Hopefully, the good guys<\/a> find it and report it first. After the recent articles about Pwn2Own<\/a>, the security flaws I\u2019ve seen and heard of, and the amount of exploited data the past few years, I figure the best and only perfect way to protect your application is simply to just not have one. Obviously that\u2019s not a possibility, so when have you done enough? How can you balance product against security?<\/p>\n Some security approaches seem almost useless. CSP doesn\u2019t protect against anything in 90+% of cases<\/a>. Some things are redundant, DNSSEC<\/a> is meaningless and you should assume that is always insecure. How can I tell what is useful and what is not?<\/p>\n I need help. If someone can tell me what to read to get a clear picture, from an established professional with a good track record, please, please do. If they work at a company that gets hacked or exploited regularly, have they really been doing a good job?<\/p>\n If you feel like this, I’m sure you aren’t alone. While you can never stop someone from trying to get in, there are 2 things to do.<\/p>\n First – purchase active monitoring of your endpoints. Once<\/strong> someone gets in, this will help you get them out. Second – do the basics, get the good guys helping you through bounties, and spend as much time on anti-fraud<\/a>, marketing<\/a>, and risk management to make it seem<\/em><\/strong> like you are doing a good job. Do everything you can so you don’t seem like an easy target. Remember, in today\u2019s social climate, facts and truth<\/a> don\u2019t really matter. Maybe it\u2019s more important to seem secure than to be secure.<\/p>\n References How do I know what kinds of proactive internet security are worthwhile for my software project? I have been struggling, for years, to find a good answer to this question. This seems like something I could have learned in a graduate course on security, but I\u2019m naive and now that I\u2019m looking for an answer,<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-113","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/jwonsever.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jwonsever.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jwonsever.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jwonsever.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jwonsever.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=113"}],"version-history":[{"count":6,"href":"https:\/\/jwonsever.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/113\/revisions"}],"predecessor-version":[{"id":212,"href":"https:\/\/jwonsever.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/113\/revisions\/212"}],"wp:attachment":[{"href":"https:\/\/jwonsever.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jwonsever.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jwonsever.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"http:\/\/jwonsever.com\/wp\/wp-content\/uploads\/2019\/05\/security-300x107.png\")
<\/a><\/p>\n
\n
\nhttps:\/\/deepsec.net\/docs\/Slides\/2016\/CSP_Is_Dead,_Long_Live_Strict_CSP!<\/a>
\nhttps:\/\/cleantechnica.com\/2019\/03\/25\/hackers-walk-away-with-375000-and-a-tesla-model-3<\/a>
\nhttps:\/\/medium.com\/swlh\/what-are-the-best-practices-for-securing-your-saas-application<\/a>
\nhttps:\/\/www.sohamkamani.com\/blog\/2017\/01\/16\/web-security-essentials\/<\/a>
\nhttps:\/\/sockpuppet.org\/stuff\/dnssec-qa.html<\/a>
\nhttps:\/\/sockpuppet.org\/blog\/2015\/01\/15\/against-dnssec\/<\/a>
\nhttps:\/\/en.wikipedia.org\/wiki\/Web_application_security<\/a>
\nhttps:\/\/en.wikipedia.org\/wiki\/OWASP<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"