How do you know that your website is secure? (Accounting for your own errors only, that is, assuming that the libraries you are using are flawless.) For each problem (for example, XSS, MitM, etc.), there is a list of solutions that you can search for … but most of the time, you do not do it. & # 39; not even know that there is a problem. Consider. I work on a website. I thought everything was solid – it uses HTTPS, the passwords are hashed, CORS is enabled for specific domains, the nine yards. Everything was locked up as tight as possible. Or so I thought. Then, while I was surfing the Internet, I discovered CSRF. I did not know that it was something that I had to be careful about, so the website is vulnerable.
Now I have been programming for many years. I've read a lot about security, followed a university course on cryptography and (IMO) a good level of knowledge about threat models, hash functions, and so on. If I can so easily be a security vulnerability (apparently common), what hope remains with regard to the average type of people having followed a program learned last year? How does the internet work at all? It seems that when I know all the things I need to watch, there is another one. And another. Not even NEW things, like Heartbleed, but things that have ALWAYS been dangerous. I'm pretty confident that it's theoretically possible to be perfectly secure, but you're supposed to know so many magical things that it's actually impossible to do it.
My question boils down to: Is there a list where, if I do everything I am, I am sure to be safe? (Assuming libraries, browsers, flawless hosts, etc.)
Now, I realize there are different levels of response to this question: a stateless server that only serves public static content and is unable to back up data is invulnerable for almost anything. If you want a state, the list of things you need to do increases. Therefore, a good answer should either give a list covering all cases, or give several lists, each of them securing a certain set of common capabilities. (Links to lists are allowed and maybe even preferred.)