Thanks for writing this, I find the security mindset useful all over the place and appreciate its applicability in this situation.
I have a small thing unrelated to the main post:
To my knowledge, no one tried writing a security test suite that was designed to force developers to conform their applications to the tests. If this was easy, there would have been a market for it.
I think weak versions exist (ie things that do not guarantee/force, but nudge/help). I first learnt to code in a bootcamp which emphasised test-driven development (TDD). One of the first packages I made was a TDD linter. It would simply highlight in red any functions you wrote that did not have a corresponding unit test, and any file you made without a corresponding test file.
Also if you wrote up anywhere the scalable solutions to 80% of web app vulnerabilities, I’d love to see.
You’ll need to mouse over the elements to see the details, so not really mobile friendly, sorry.
I agree that linters are a weak form of automatic verification that are actually quite valuable. You can get a lot of mileage out of simply blacklisting unsafe APIs and a little out of clever pattern matching.
I’m glad you found it useful, even in this form. If the thing you’re working on is something you could share, I’d be happy to offer further assistance, if you like.
Thanks for writing this, I find the security mindset useful all over the place and appreciate its applicability in this situation.
I have a small thing unrelated to the main post:
I think weak versions exist (ie things that do not guarantee/force, but nudge/help). I first learnt to code in a bootcamp which emphasised test-driven development (TDD). One of the first packages I made was a TDD linter. It would simply highlight in red any functions you wrote that did not have a corresponding unit test, and any file you made without a corresponding test file.
Also if you wrote up anywhere the scalable solutions to 80% of web app vulnerabilities, I’d love to see.
My project seems to have expired from the OWASP site, but here is an interactive version that should have most of the data:
https://periodictable.github.io/
You’ll need to mouse over the elements to see the details, so not really mobile friendly, sorry.
I agree that linters are a weak form of automatic verification that are actually quite valuable. You can get a lot of mileage out of simply blacklisting unsafe APIs and a little out of clever pattern matching.
I just want to let you know that this table was really useful for me for something I’m working on. Thank you for making it.
I’m glad you found it useful, even in this form. If the thing you’re working on is something you could share, I’d be happy to offer further assistance, if you like.
Thanks kindly for the offer, I will DM you
Thanks for sharing, this is a really nice resource for a number of problems and solutions.