How to Secure Your App - The ULTIMATE Reference
moveax41h last edited by moveax41h
“How do I secure my app?”
Although the answer itself can involve a series of steps, I believe that finding the answer is overly complex, especially with the technologies available on the modern web. I got tired of getting a run-around as a developer when seeking info - “Implement proper input validation,” “Install updates,” “Sanitize or parameterize database queries,” and so on… Lots of general “advice” but as developers, we need to know exactly what needs to be done in order to implement effective security into our apps. Additionally, advice clashes - “how do I prevent XSS” - some folks say sanitize user input, others say sanitize server-side requests, others say set the proper XSS headers, etc…
We cannot make your app secure for you - that requires work on your part - but we can make learning how to properly secure your app much easier.
For this reason, this post strives to answer “exactly how do I secure my app?” One of the fundamental most important pieces of info that we need in order to provide you, the app developer, with concrete information, is “what technologies are you trying to secure?”
Thus, the data below will be organized in the following order:
2.) Type of resource (Frameworks, Secure Coding Practices, etc…)
Note that this guide, unlike many others on the web, is focused on how a developer/programmer/engineer can secure his/her app. It is not geared toward hacking, pentesting, or auditing an app. We will have a separate list for those items.
What does it mean to have a “secure” app?
For the purposes of this post, a “secure app” is an app which implements all known best practice recommendations . For an app to be truly “secure”, it involves potentially hundreds of proper configuration requirements which should also be followed up by rigorous security testing built into the SDLC. However, every little bit counts. If you are not able to test, you can at least do your best in development. We want to make this process as easy as possible to perform.
How to use this reference
- Press Ctrl+F or Cmd+F and type the technology you’d like to learn about.
- Follow the links and learn
This page will be continuously updated as I have time, find more resources, and as resources become dead-links and/or outdated. The point is to have up-to-date or at least relatively recent advice since new threats pop up in security. If you would like to add a resource and it meets quality standards, feel free to post below.
These are higher-level guidelines/standards that you can use to ensure your software follows best security practices, or decide on which practices make sense to implement.
- OWASP Secure Coding Practice (all technologies)
- OWASP Web App Security Checklist/ASVS
- IoT Security Compliance Framework
- Node.js Secure Code Guidelines
- 23+ Node.js Security Best Practices
- Express.js Production Best Practices: Security
- Security in Angular: Part 1
- Security in Angular: Part 2
- Security in Angular: Part 3
- Securing Angular.js Applications
- So you thought you were safe using Angular.JS
- Tips to secure your Angular application
- Firefox Extensions/Add-Ons security best practices
HTTP Security Headers
- OWASP .NET Cheat Sheet
- Top .NET Secure Coding Practices for a Team
- ASP.NET MVC Security Best Practices
- ASP.NET WebForms Security Best Practices
- ASP.NET Core Security Tips
- Electron’s Official Documentation for Security
- Electron Security Checklist
- Securing Electron Apps with OpenID Connect & OAuth 2.0
- OpenStack Python Secure Development Guide
- Python Secure Coding Guidelines
- Python Security Best Practices Cheat Sheet
Ruby on Rails
- Ruby on Rails Official Security Guide
- Engineyard 17-item checklist
- Preventing Security Issues in Ruby on rails
- OWASP Cheat Sheet for RoR
- MongoDB Official Security Checklist
- MongoDB Security Tips
- MongoDB Security Top 10
- Definitive Guide to MongoDB Security
Microsoft SQL Server
- Top 10 Security Considerations for your SQL Server Instances
- SQL Server Security Best Practices
- Microsoft’s Official SQL Server Security Guidance
Ubuntu Server Hardening
- Harden Ubuntu 18.04 in 5 Easy Steps
- Secure Ubuntu 16.04 LTS Part 1
- How to Harden Ubuntu 18.04 Server
- Best Practices for Hardening a new Ubuntu Server
NGINX Server Hardening
JSON Web Token (JWT)
Special thanks to: @sneakerhax for his contributions to the Node.js & Python resources.
I would also add the Openstack Python Secure Development Guide - https://security.openstack.org/#secure-development-guidelines
moveax41h last edited by
@sneakerhax Added, thank you!