▲ | ygjb 9 months ago | |
> Comments on security: This is a huge issue for me. I've followed best practices as nearly as I can, but I've also been asking around to find out who could do a comprehensive security audit, but haven't yet found anybody I trust. Does anybody have any recommendations on how to find someone? The best first step is to conduct a review yourself; you may want to hire or recruit a volunteer to do a security review, but you can kick it off yourself by using free, open source tools to scan your application, your code, and your environment. Your first stop should be https://developer.mozilla.org/en-US/observatory because there are some simple, prescriptive improvements you can make. Your second stop should be using a container or cloud security scanning tool to check for vulnerable configurations and packages. There are a myriad of tools available, like Trivy for container scanning, Prowler https://github.com/prowler-cloud/prowler or ScoutSuite https://github.com/nccgroup/ScoutSuite for scanning your cloud environments, etc Your third stop should be https://www.zaproxy.org/, which is a free download you can use, and https://www.zaproxy.org/getting-started/ is a great way to get started. This will help you quickly identify low hanging fruit that can be found through automated scanning. Your fourth stop should be running language appropriate static analysis tools against your application. There are too many to mention, but here is a good starting list: https://owasp.org/www-community/Source_Code_Analysis_Tools All of these will give you quick, tactical things you can address. Once you get through any critical findings (which frequently, but not always means they are directly exploitable without additional effort) you should threat model your application, and build a plan for security - https://owasp.org/www-community/Threat_Modeling | ||
▲ | bhpreece 9 months ago | parent [-] | |
Thank you for these recommendations. I'll check out all of them. |