2
I have a project where there will be a web API to "communicate" with mobile applications. This one is for consultation only. In addition to this, there will be the administration that summarizes the inclusion of data.
The question would be on the administration side, is it safer to use a web application with "direct" access with BD or, use the web API features? Taking into account the necessary security applied in both cases.
5
The one who is well done and by someone who understands security. That is, either of the two, if it is well done.
If any of them had less security nor should use. If you encounter any security problem should be a bug to be corrected.
If you don’t understand what you’re doing and all the implications of everything you do then they’re both insecure, not because they were built that way, but because whoever did it can’t make it safe.
Insecurity is exploited by people who understand a lot of what they do against what has been done by people who understand little or nothing.
And to learn what it does is not to learn cake recipes, it is to learn all the fundamentals with depth, only then will understand everything that can occur and mitigate them. That is, to make insurance you have to know so much Quandt who exploits the security flaws.
If you have an area that you can’t pretend to know, that you can’t follow recipes is security, because the biggest insecurities still don’t have any revenue.
Of course, most systems, especially the web, are extremely vulnerable because they’re made because they don’t even know the basics and make very basic mistakes that have been solved for decades.
When systems weren’t web, they were safer for the simple fact that few people could access. Now everyone can, cannot trust anything external, has to protect themselves from everything that we know and what we do not know. And today you get the idea that anyone can program, when it’s actually gotten a lot harder. So today the overwhelming majority of applications are insecure and vulnerable and the vast majority of servers are or will be operating at the service of crackers, some for years or decades without the person knowing.
If you take into account that the programmer did everything right, both are safe the same.
Even if one was safer, what’s the point of using it if what you need to use is the other?
I would not recommend using DDD in any application. Unless, of course, if it is very suitable for that application, you totally master the subject, and have a good implementation of it (and I’ll give you a hint, not even the creator of the term did a good, which generates atrocities). I don’t know what it does here, but I thought it best not to go blank on this myth, and that somehow it would help security, on the contrary, so I see people running the wrong area code, creating own dubious mechanisms to replace what already exists that is considered safe, security only tends to get worse, even more because people do not see that it is occurring. In fact anything that is applied to everything is already wrong by definition. Even the greatest advocates of DDD do not use it at all.
An example of how people do not understand security is that they voted to close the question as based on opinions. Security exists or does not exist. It is measurable and even without measuring it is public knowledge about the condition of the technologies, and the inherently insecure are considered obsolete and only use those who do not read documentation (what few do, and not even to start talking about security with those who do it, about 80, 90%). Okay, I understand that someone may have voted for some kind of bias or inattention, but it’s important to know that too.
Both are safe, safety is given by the quality of the programmer, use what meets your need, and propose to be a complete professional or pass to those who can help in the issue and do not buy myths. Accept that you don’t understand security, that’s what I do, and research to at least not make the basic mistakes that most people do and don’t even realize.
Those who understand this and act accordingly make safer systems, those who think they make safe systems without observing it are deluding themselves, and many experienced people do so.
I hope you enjoy the tips well.
Again, thank you for the explanation. I chose to divide the operations between the web application and the web api so as not to get "all eggs in the same basket".
Browser other questions tagged web-service web-application security-guard
You are not signed in. Login or sign up in order to post.
Neither, Your web application can access an api and still not be secure in the same way ** "direct" with BD **, you need to understand the concept of web and api, and security that is something quite different. you need to implement security in both cases.
– Marco Souza
Thank you for your attention, in matters of security, I am the basic of the basic. But remaking the question, in this environment I mentioned, what would you recommend ? Use the API for all operations (CRUD) or share these operations (query) with a web application (CRUD) with direct access to the BD ?
– Renato
I would recommend the use of the DDD in any application.
– Marco Souza