|
>>
|
No. 720
Any user data that doesn't need to be reproduced (eg passwords) use a secure hashing algorithm (bcrypt or pbkdf2). Anything you do need to reproduce (eg names, emails, credit card numbers) encrypt with a secure encryption algorithm (AES). Use libraries that already have these written and DO NOT right the algorithms yourself.
Securing code that is going to run in the browser is impossible. Anything that you wouldn't open source needs to run on your server and only send the results back to the client. Do not rely on anything coming from the client as being correct.
Minimize the number of places your app receives data. Test every input with good data, bad data, random garbage, malicious data, and if possible open source that code and ask for feedback from StackExchange.
As for the physical set up, do not store anything that you wouldn't make public anywhere but a server that you physically control. Keep it behind locked doors in a secure building. The USA is probably the best place to keep it unless you'll be running up against the law, in which case a Nordic country might be safer.
Do be safe against physical takedowns, you want a distributed system. Use something like AWS to get everything on a lot of servers. Ideally, you could run it on clients, like bittorrent or tor.
This advice is very contradictory. You have to make the tradeoffs about what kind of security you need and what is possible based on your application. A distributed system without identification works really well for bittorrent but would be awful for facebook. All-data encryption is great for the military, but overkill for an imageboard. Without knowing what you want to do, it's impossible to give any real advice.
If you are really going to make money off of this, pay an expert and give them an NDA. If you aren't able to invest in the idea, get venture capital after you make a prototype. And remember two things: you'll never be 100% secure, and an insecure product that exists is infinitely more valuable than a secure one that doesn't.
|