Encrypting the transmission doesn’t do much if every app installation contains access credentials that can be extracted or sniffed.
Encrypt the credentials then? Or OAUTH pipeline, perhaps? Automated temporary private key generation for each upload (that sounds unrealistic, to be fair)? Can credentialing be used for intermediary storage that encrypts the data on that server and then decrypted on the database host?
Clearly my utter “noobishness” is showing, but at least it’s triggering a slight urge to casually peruse modern WebSec production workflows. I am a DNN researcher. Thus, I am far removed from customer-facing production environments, and it shows.
Any recommendations on literature or articles on how engineers solve these problems in a “best practices” way that you can recommend? I suppose I could just look it up, but I thought I’d ask.
Edit: I don’t know why I’m down-voted. My questions were sincere.
You’ve got the right ideas. Noone should ever be storing any password in plaintext. It should always be hashed and the hash stores. That’s like WEBDEV99 (remedial course, not even 101).
Really. Despite your stated “noobishness”, you basically landed in the territory of best practices right of the bat.
If you’re looking for a good source of best practices, the CIS benchmarks are great. https://www.cisecurity.org/
Brother, I need the “remedial” lessons since I self-host a lot of my experimental DNN solutions on a GPU cluster served via CasaOS/Ubuntu-Server LTS.
I’ve followed basic tutorials about nginx, end-to-end encryption, and DNS, but I need more knowledge and training about the theory behind modern security best practices. I think I’m doing okay but I have this ever-present anxiety that I’ve overlooked something and my ass (i.e., sensitive data) is really just hanging out in the wind.
Encrypt the credentials then? Or OAUTH pipeline, perhaps? Automated temporary private key generation for each upload (that sounds unrealistic, to be fair)? Can credentialing be used for intermediary storage that encrypts the data on that server and then decrypted on the database host?
Clearly my utter “noobishness” is showing, but at least it’s triggering a slight urge to casually peruse modern WebSec production workflows. I am a DNN researcher. Thus, I am far removed from customer-facing production environments, and it shows.
Any recommendations on literature or articles on how engineers solve these problems in a “best practices” way that you can recommend? I suppose I could just look it up, but I thought I’d ask.
Edit: I don’t know why I’m down-voted. My questions were sincere.
You’ve got the right ideas. Noone should ever be storing any password in plaintext. It should always be hashed and the hash stores. That’s like WEBDEV99 (remedial course, not even 101).
Really. Despite your stated “noobishness”, you basically landed in the territory of best practices right of the bat.
If you’re looking for a good source of best practices, the CIS benchmarks are great. https://www.cisecurity.org/
Brother, I need the “remedial” lessons since I self-host a lot of my experimental DNN solutions on a GPU cluster served via CasaOS/Ubuntu-Server LTS.
I’ve followed basic tutorials about nginx, end-to-end encryption, and DNS, but I need more knowledge and training about the theory behind modern security best practices. I think I’m doing okay but I have this ever-present anxiety that I’ve overlooked something and my ass (i.e., sensitive data) is really just hanging out in the wind.
Thank you for your recommendation.