|
|
|
|
|
|
by thephyber
2293 days ago
|
|
|
Normally I might try to enumerate examples, but I agree with bdibs that OWASP generally holds the canonical text for authentication of web apps. Alex Stamos, former head of security at Facebook, described the security issues they got as a pyramid where the vast majority of issues were basic fraud, friend/family trust, fake login pages / fake emails, reused credentials, and email takeover. You won’t be able to help with most of these unless you can help your users change their behavior. For the other stuff, use the best SDLC techniques, never commit secure strings to version control (assume your source repo is misconfigured), use 12 Factor principles, read OWASP docs, search for relevant HackerOne disclosed reports (or blog articles, CTF write ups). There is no amount of coding that can replace red team user testing / a security audit. |
|
|