Public Web Application

[arcanebits]

Hi everybody! Im developing a public web application with AppGini and at this point I can say im really pleased with the product.
I have some maybe already answers so please link me if that is the case for each question.
1- The app will be public and login / password will be a requirement to access it, is AppGinni by itself secure enough?
2- I need some security tips, not paranoic ones, but best security practices will be just fine, just dont want the site to be hacked.

Thanks in advance

[arcanebits]

Not very Satisfied with the help in the forum, gives some taste that AppGini is quite unsecure and not ready for develop comercial WebApps.... Is that so?

[onoehring]

Hi,

well, I would disagree. There have been some posts, but AG tries to give developers some peace of mind. If you are looking for possible security problems, you might want to check specific security-test-sites.
Please note, that not only the application might have security problems, but since we are talking web, every single point: OS (and configuration), webserver (and configuration), mysql configuration and user-configuration.

I you are uncertain about security, I would strongly suggest not developing webapplications your self anyways. If AG produces unsave code (and I say if), it's probably likely, that a single developer will make similar mistakes sooner or later as well. Those might be much worse than using a tool which - at least in a forum like here - gets some attention from different people.

Olaf

[arcanebits]

As an ethical hacker, with more than 30 years working in IT i agree the most of things and also one of the reasons I put my mind on appgini is 1-Mature SW and 2-Uses Linux, both aspects shows a more future more robust development of my app... and yes, I do pentesting in my products.

The second post was because it passed 5 days and cero interactivity from support nor people on the forum, meanwhile other topics where thriving of live, is by deduction that I thought "this is the weak side".

Cheers
Aldo

[onoehring]

Hi Aldo,

maybe it's also, that security is directly communicated to the developer.
There are some people very active here (thank's guys).
For myself: When I am posting something of my own interest here, I might answer other posts. Maybe the gurus of AG did not see any need right now to post - and you will agree, a newbie is not the person you want to have security advice from.

Olaf

[arcanebits]

Sure thing Olaf, I was only wondering with the whole lot of people in here (some newbie and surely some not newbies and quite experienced guys with the tool) about some first takes on sec, but thanks anyway, now on, i will rely on the Gurus only...
Cheers!
Aldo

[jsetzer]

Thanks for opening this discussion! I can only contribute my personal opinion from my point of view and experience:

Security of public web applications is a very sensitive and complex topic: It's not just about encrypting passwords, avoiding SQL injection, and handling sessions. It also covers related issues such as trusting hosting environments, firewall settings, avoiding spam, blocking brute force attacks, keeping users' personal data secure, motivating users to use secure passwords and changing them regularly, and so on and so on. Some of the issues not only challenge myself in the role of the software developer, but I also need the help of network departments, support staff, contractors and suppliers.

The above points do not affect AppGini only, but generally the development and release of any public web software. Be it an AppGini application or an application created with other code generators or coded using other frameworks. Even more so in the case where someone thinks her/his completely self-written code is safer than the code generated by AppGini.

As for the first issues mentioned above (like SQL-injection), each of us is required to use the possibilities that AppGini already offers (for example the makeSafe()-function).

Personally, I prefer intranet applications. I am particularly concerned with a limitation of liability. Then the network department is technically responsible - also for HTTPS, for connecting and securing mobile devices via VPN to the server in the data center and so on.

In summary, I would like to say three things:

1. In private/closed network environments (such as intranet, extranet), I fully trust AppGini code.
   Vulnerabilities are more likely to be opened by users, not by generated code.
2. In public environments, I trust AppGini code more than programming everything myself.
   I trust AppGini code at least as much as I trust the code I have seen in other frameworks and code-generators.
   And in public environments I would put more emphasis on complementary measures such as brute force blockade, monitoring, logging, moderation and manual release of records.
3. There is no secure system that is publicly available. Those who have criminal energy will hurt any system. Even the really big platforms, and I mean the VERY big platforms, are experiencing that every day.

I would like to address those Network-Gurus here, who (more than myself) are familiar with the technical details that are not directly related to the software, such as network issues, for example. Furthermore, I would like to address those Software-Gurus here, who have concrete ideas about how to secure the code. I would like to suggest that we all should collect the issues that concern us and support @BigProf in making AppGini code better and safer piece by piece.

With kind regards,
Jan

[arcanebits]

Amazing Post Jan! KUDOS! And THANKS A LOT! A good clean mindset you have! I will adopt some of your philosofy!
Aldo