Wednesday, 3 July 2019

Designing application with paranoid security (thoughts)

I am currently collecting a technology stack to redesign a certain application for security strengthening. App is primarily CRUD type with wide possibilities of searching and generating statistics and reports. The security features must be taken extremely seriously because of the database content. The first version was a huge monolith but allows me to see potential problems. Now it's time to do it right. I hope to turn it into a business (some time in the future).This is REST API application with restricted access for user groups with different ACL. It is mainly about data access control, logging activities, etc. So far, the database runs on MongoDB (mainly due to the diversified records structure). Backend is written in JS (express) with reactJS frontend.​Current thoughts:Micro-services architecture based on NestJS + GraphQLJWT-based authentication with refresh token2FA (I don't know yet whether by one-time codes / sms / push )Password policy (Forcing a change once a month)Checking users passwords for leaks on https://haveibeenpwned.com/Database encryption at REST (https://www.percona.com/software/mongo-database/percona-server-for-mongodb ?)Of course, SSLEncryption of the most sensitive data in the database (Is that a good idea?)ACL implementation ( What module?)Keeping secrets in a dedicated solution (https://www.vaultproject.io/ ?)API Rate LimitingCaptcha/reCAPTCHA ?I would very much like your suggestions and comments.

Submitted July 03, 2019 at 07:15AM by kszyh_pl

No comments:

Post a Comment