Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
epse38552yDamn... That must be rock solid
I would love a "security first" framework. Is it open?
@Lor-inc Not yet as it's very much a work in progress and if someone would use it as 'secure', that would be a problem 😅
But, to give you an image of what the framework does;
Everything works based on a router which routes based on a config file to decrease the risk of file inclusion vulns. The router (all based on the config file) automatically performs rate limiting if configured for the specified route and checks if the parameters (put/post/whatever) are according to the configured requirements. The router also checks if authentication is required and if yes, does automated checks and so on. It's actually very tiny!
@Lor-inc But, open sourcing is definitely my goal!
taiga12yI am also working in a team which provide RESTful API services, we keep finding the history issues due to the bad design before, I would say it it something very hard to avoid as the product evolve.
Recently thinking about a new side project to build some framework to handle the security check issue, but one thing is, we cannot mess the existing integration so the framework must has some whitelist and it is not able to be perfect
It's only hard to avoid if your company is willing to neglect rigor and discipline.
If your testing suite doesn't test endpoint security and validation, or have basic fuzzing, and you don't whitebox test, you're shipping unfinished work. I don't know of any legitimate companies that also don't pay for external audits and blackbox testing. It's something that almost all insurance requirements will demand.
I would not say my company (at least as a rookie dev as me) is "willing" to neglect rigor and discipline.
maybe I did not give enough context, basically my team is API team which focus on the business logic implementation via our code, there is a separate team handling the security check work, however, things got lost and messed up during many times of product ownership transfer / reorg, our team are expected to provide some extra security check for specific endpoints besides the existing check (due to some fresh new hacker tech), it is kind of breaking change for the users who already integrated with us.
it is just a example how we should design the system well so we don't have those historical debt, the designer of the architecture was good at that time, but he was not able to know how the industry or technology changes, what new requirements comes, that is what I mean by "hard".
Hazarth55722yDo you have a blog, youtube channel, livestream or something where you share this knowledge? I'd love to learn from the experiences of someone who does 3hrs of security checks for something small and fun